SSL certificates for local web applications [closed]

My understanding is that there are three ways you could go about setting up a intranet web server (local network only) for HTTPS.

  1. Self signed SSL certificate. Cons: Browsers typically don't likes these. Lots of ugly warnings at the very least.
  2. Create your own SSL Certificate Authority. Cons: You have to manually install the CA on every single device that will be accessing the site (assuming it is even possible on every platform you might encounter.)
  3. Purchase a real (external) domain name and get a SSL cert that covers a subdomain which will only exist in your internal DNS.

Options 1 & 2 are IMO a nonstarter for the fact that the user experience is absolutely horrible at best. Option 3 is also very non-ideal for a few reasons. For one, it requires you to spend money and keep a domain renewed. Lets say hypothetically that this web app was something you envisioned everyone and their mother wanting to use (by use I mean run their own local version on their private network). That would require everyone who wants to run this app to register a domain. That's a fairly huge requirement and barrier for entry.

My real question is this: would it make sense for IANA to reserve a TLD specifically for private networks, and then for web browsers to accept self-signed SSL certificates from domains bearing this TLD if and only if that domain resolves to a private IP address?


No.

Just because a web server is on a local network does not mean its the one you are intending to visit and has not been compromised.

Further what defines a local network? What is to stop someone abusing a "special local tld"? How do you define local and handle its exceptions? How can you be sure that because something is on the LAN its not been compromised or MITM'd?

BTW, there is already a .local special domain name reserved for local networking.