[ThePhysicist]

Can you not simply use a normal domain or subdomain and get a regular TLS certificate for it? The domain can still only be resolvable inside your Intranet using your internal DNS. You won’t need a special root CA in all browsers then.

[est]

> simply use a normal domain or subdomain and get a regular TLS certificate

Yes I can make that switch, but I also think every domain should be considered normal.

However in this particular case, the Intranet TLD is purposely hidden from public resolvers.

[captn3m0]

By definition, ICANN TLDs are considered special, because the whole www PKI infrastructure only works for those. Browsers cater to those TLDs, and CAs have guidelines for those.

I understand the need for hiding your TLD though. I don't see a nice solution here, sadly.