I shall join the ranks of the idiots then, cause the question "Are the certificates on these IoT devices centrally managed?" makes no sense to me either, just not because I wouldn't know what certificates are.

Centrally managed? Like are these devices enrolled into some centralized management system, and so is the question whether that system also manages the OS root cert store? (And would have been followed up with whether it blocks TLS traffic that it's unable to intercept?) Or is it maybe whether the vendor's applications deployed to these devices use that or carry their own?

But then I read on, and PKI and HTTPS comes up. Is centrally managed then referring to PKI being a centralized trust system, and so is the question really "are you using CA issued domain certs"? Why the contrived phrasing then?

And then there's a mention of an internal domain name. Internal as in private? Sounds a bit suspect that the guys who don't know what a certificate is would have a private DNS with a private CA to boot, but it sure would be centralized alright.

I think it's inquisitive that the first common point reached was HTTPS: yes/no? -> yes. But then even that was seemingly a bit too new info: in the portrayed discussion it is first also asked whether HTTP is in picture. This makes me question, just what did the author even know about these devices when they prompted their centrally managed certificates question.

Maybe a better question at that stage would have been, "So, how do these devices communicate, and what to?", letting them explain it in their own terms first?

The difference here is that you know enough to ask the follow-up questions

In a normal OS under normal conditions, the certificate store is centrally managed by the OS vendor. The answer then is “yes”.

But it's possible to install a certificate of your own in which case the answer is probably “no” because when it expires you're going to have to to every one of those machines and install the replacement.

Or imagine an embedded computer that doesn't even have an OS. Then the certificate store just has whatever the developer put into it when they built the image. Again the answer is “no”. If you're lucky you can still rebuild the image and reflash the devices even though the engineer who did the work was fired as a cost–cutting measure. If you're not lucky then that VP’s cost–cutting has actually added a lot of cost.