alt Hacker News> It is currently not possible to keep your internal network private and still have HTTPS without hacks or problems on standard end user devices.
Only if you consider transferring the cert from the public server to your internal server a hack. But how would it ever work otherwise? The CA needs to have some publicly accessible way to check your control of the domain, right?
You need a fake DNS entry on your local network for this to work - I would call that a hack.
And what if you aren't running a public webserver like 99% of normal people out there?
> But how would it ever work otherwise? The CA needs to have some publicly accessible way to check your control of the domain, right?
I mean that's exactly the problem: Why do you have to rely on the public CA infrastructure for local devices?
Consider the scenario of a smart wifi bulb in your local network that you want to control with your smartphone.
IMO it would be great to have your home router act as a local CA that can only issue certificates for .local domains and have that trusted per default by user agents. Would make smart home stuff a lot better than the current situation...