Thanks. This helps a lot.

Yes, it’s not obvious, maybe I should try to complete this post one day.

The original key bootstrap where “crammed” by the factory. The idea is to change those credentials withthe first bootstrap and rotate it often so someone with this key is unable to MiM or eavesdrop the communication because he needs to capture 100% of the traffic. Yes it’s not magic you need different credentials per device and rotate them quite often.