I would be perfectly happy with a solution where browsers show a scare screen for self-signed certificates on the public internet but a benign-looking "Do you want to trust this certificate?" screen for 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 or mDNS .local domains.