I thought about something like this, too. But actually I need a dynamic solution with a changing environment. That is why I just want TOFU. I want to prevent a man-in-the-middle attack, after a router already established a connection.
The same certificate on every device means if someone obtains the certificate's private key (which is of necessity deployed on every device), they can set up a MITM machine that matches all of them. If one node is hacked, the whole system is done.
Using the conventional approach of certificate CN matched to the device, and verify them with a private CA, a device's certificate / key is only useful to MITM that one CN. Without the CA private key, they can't generate more certificates.
Use a script to create and sign a batch of certificates, with sequential CNs based on the IP where you will use them. Nothing within a certificate can be changed after it has been signed, which is the whole point of signing them to a higher CA.
Again, any reuse of the same certificate on multiple devices makes it impossible to isolate one which has been compromised.
Did I made a mistake? I have downloaded the crt for a router (server) with a specific ip. I always use that crt for a request against the same router with the same ip. An attacker must compromise the client and exchange that crt on the client, to do a man in the middle?
That is correct(*). But then you started asking about how to make a certificate which can be used on more than one server, which is a very bad idea.
with the considerable potential problem that you must trust the first time you download the certificate. If you get fooled into downloading and trusting the MITM's phony certificate, then you won't know it's a MITM.
So the way to avoid that is to use a CA so the trust is distributed out of band. You hold the CA directly on your client machine, you can be sure it is your CA because you never need to download it from the network. Also you don't have to remember all the server certificates, only check that they are signed with your CA.