That sounds like it should work. So your general workflow would be something like:
- Push the router’s WAN address to your DNS so the A record for
serialnumber.router.managementgets set. - Spawn a publicly-available web server on port 80 or 443 (which you probably already have for the management UI) and serve the challenge files/SNI challenge.
- Let your ACME client do its magic and install the resulting certificate.
- Repeat steps 2 and 3 automatically every 2-3 months.
Sounds like a nice use-case for Let’s Encrypt! 