Protecting SSL private key in a Curl script

[aensys]

Hello Folks,

I am not a too deeply practiced coder and I ran into a problem using CURL on one of my devices:
The situation: I have a smart device - planned to sell to the public - which has to connect to servers/cloud/etc.
These servers are using SSL and certificates not justs to secure the communication channel between the client and the server, but also to authenticate the client on the server. No valid device cert, no download, no data exchange, no connection, nothing.
So I have to install a certificate to it and pass it to the CURL script.
1. I have to give the cert. It is OK.
2. If the CA is not a valid one, I have to give my CA's cert. It is OK also.
3. I have to give the private key of the device certificate - and that's where I have the problem! If I do not use a password for the key anybody who has the device and hack it somehow can stole this identity and ruin the network of those devices which are using this certificate.
The situation is the same if protect the key with password and I put it to the curl script in plain text.
If I do not provide password to the private key, the identity will not be validated so the connection will not be established.

What is the solution or the best practice for a case like this?