> (Some of us could go through the trouble of setting up a private CA to deal with this issue, but getting everything to trust your own personal CA root seems like almost as much of a hassle at times.)
This is the actual problem... setting up your own CA for internal networks could be automated relatively easily.
The problem is not the self-signed cert or CA. The problem is managing trust on the devices themselves.
Imagine you want to trust only _your_ self-signed cert or CA root for a specific service. Good luck making that work.
This issue should be so common that there should baked-in functionality in every piece of software to allow for this. It's often totally missing or implemented incorrectly (self-signed certs or custom CAs are often trusted in _addition_ to the system CA roots!).
This is the actual problem... setting up your own CA for internal networks could be automated relatively easily.