My understanding is that there are three ways you could go about setting up a intranet web server (local network only) for HTTPS.
- Self signed SSL certificate. Cons: Browsers typically don't likes these. Lots of ugly warnings at the very least.
- Create your own SSL Certificate Authority. Cons: You have to manually install the CA on every single device that will be accessing the site (assuming it is even possible on every platform you might encounter.)
- Purchase a real (external) domain name and get a SSL cert that covers a subdomain which will only exist in your internal DNS.
Options 1 & 2 are IMO a nonstarter for the fact that the user experience is absolutely horrible at best. Option 3 is also very non-ideal for a few reasons. For one, it requires you to spend money and keep a domain renewed. Lets say hypothetically that this web app was something you envisioned everyone and their mother wanting to use (by use I mean run their own local version on their private network). That would require everyone who wants to run this app to register a domain. That's a fairly huge requirement and barrier for entry.
My real question is this: would it make sense for IANA to reserve a TLD specifically for private networks, and then for web browsers to accept self-signed SSL certificates from domains bearing this TLD if and only if that domain resolves to a private IP address?