If you own your own domain, the lifecycle toolchain to request, renew, deliver certs around a variety of cert authorities (letsencrypt is a popular one) makes it really easy, along with not having to worry about hosting an internal CA but more importantly dealing with distributing root certs to client devices that would need to trust it.

I’ve used https://github.com/acmesh-official/acme.sh as a one-off for updating my Synology’s https certificate (two lines - one fetch, one deploy - finishes in 20 seconds and can be cron’d to run monthly) and Caddy natively handles the entire lifecycle for me (i use cloudflare for my domain registrar which makes it both free and a snap to handle TXT challenge requests).

Certbot is another popular one.

I did something similar, though I’ve done a slight bifurcation-

*.i.domain.tld -> the actual internal host/IP (internal dns is adguard)

*.domain.tld all resolve internally using a DNS rewrite to a keepalived VIP that’s shared between a few hosts serving caddy that handle automatic wildcard cert renewals / SSL / reverse proxy.

While I talk to things via *.domain.tld, a lot of my other services also talk to each other through this method - having some degree of reverse proxy HA was kinda necessary after introducing this sort of dependency.