In many envisioned IoT applications, security is crucial. However, designing and/or deploying existing security techniques in IoT systems is not straightforward due to the inherent heterogeneity of IoT devices as well as their huge number. A critical security building block is represented by the Public Key Infrastructure (PKI) relying on Certificate Authorities (CAs). However, even a single-point-of-failure in a PKI may affect entire IoT systems due to its centralized nature. Failures have far reaching effects as the number of IoT devices increases. Furthermore, it is difficult for the owners of IoT devices to manage the certificates for their IoT devices since there are no standard protocols for retrieving, installing and updating the certificates. As a result, IoT device manufacturers often install certificates on the devices on behalf of the owners of the devices, which introduces the risk that the private keys of the devices are leaked by the manufacturers. In this paper, we propose a decentralized PKI for IoT, called IoT-PKI, which utilizes distributed nodes in a blockchain network instead of CAs, and thus addresses scalability. IoT-PKI protects against key leakages at device manufacturers since it allows the owners of IoT devices to manage the certificates of their IoT devices. Finally, we show the feasibility and efficiency of IoT-PKI through our prototype implementation and experiments.