[ewanm89]

1) internal company webapps just install company root cert and create properly signed certs under corporate internal CA. Installing the certificate across network is easily automatable on windows, OSX and Linux. The only issue is Firefox as it uses its own trust store. Any senior admin who can't figure it out with the resources available (plenty of information available online) should be replaced days it is not that hard.

2) with regards to raspberry pi, will anyone who can write code can learn to also create their own CA the only difference is probably no automation of adding to the trust store likely however it is only a 2-3 click install in most cases.

[felipelemos]

You are assuming that you control all client machines. Unfortunately it is not always possible and far from the admin technical decision. The admin usually can't fire the upper management.

[skywhopper]

It's possible to purchase certs signed by pre-trusted CAs extremely cheaply ($9/year/name) that can then be used on internal services. This is not a difficult problem to solve.

[felipelemos]

You can't buy certs for non.public.domain.local. So you must control the CA list at all client machines and use a self signed cert. The assumptions that there is a solution to the problem do not take in consideration that some times these changes are not possible.

If I were to choose everyone would be using public domains with DNS zone view for public / private environments but Microsoft DNS service don't even support it.

[djrogers]

Only if you also control DNS for those internal machines...