thehatfoxICANN approves use of .internal domain for your network
solrizeBrowsers barf at non https now. What are we supposed to do about certificates?
exuYou can set up your own CA, sign certs and distribute the root to every one of your devices if you really wanted to.
That sounds like a bad idea, you would need your CA and your root certs to be completely air gapped for it to be even remotely safe.
As opposed to what, the domain certificate? Which can’t be air-gapped because it needs to be used by services and reverse proxies.
The domain certificate is public and its key is private? That’s basically it, if anyone gets access to your key, they can sign with your name and generate certificates without your knowledge.
That’s my opinion and the main reason why I wouldn’t have a self hosted CA, maybe I’m wrong or misled, but it’s a lot of work to ensure everything is safe, only for a self hosted setup.