Which looks quite interesting to have HTTPS for my internal-only pages without need to deal with an external service, although you have to be very careful to setup your certs correctly with "Name Constraints" (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10) to avoid the risk of someone being able to MitM everything if they're able to get in and start issuing themselves certificates.