I haven't thought this through carefully, but you could do something like:
Tell your system to trust certificates signed by the manufacturer
Get them to sign and install on the device a certificate for it current IP address. Probably much better would be to use an IPv6 address, either local or global, because that's less likely to change.
You then connect to the device directly using the new certificate.
This still relies on them producing updated certs, though. And in the end it fails because of the ease of spoofing IP addresses. It also assumes that you're only using the IP address to access it and not coming in from outside via proxy or something.
A better solution would be to allow you to install your own self-signed certs on your device and tell your system to trust them...