A PKI is not needed. Using an existing public PKI is obviously out of question for Swisscom anyway. What's needed is just self-signed certificates here - a couple lines script in openssl just to have a default one and even if it's the exact same cert on all boxes it's not a problem. This way, you get an alert the first time you browse to it, and trust that certificate. If another one is suddnely presented through a MITM attack, it's immediately noticeable as the browser would alert again. But once this is put in place, adding the ability for users to paste their own certificate (.crt and .key) in base64 form would be very easy, just a change to the user interface. Users could then decide to use Let's Encrypt or their own PKI, etc. Just like Fritz!Box in fact :-) Importing your own certificate to the FRITZ!Box
In 2019, it's purely inconcievable to have an administrative console like on Internet Box 2 without SSL. This is against all basic security rules such as OWASP. Any smart kid can easily use Cain & Abel to MITM the box traffic and steal the admin password, then bypass any parental control or restrictions at will. Why can't you at the very least deploy a default self-signed cert (even if the same on all boxes), but more ideally let your customers upload their own certificate and key. "Security by example" should by your motto.