If only there was a system to hint in DHCP (or a v6 RA) what certificate authority serves the .internal domain for the current network.
Devices would treat .internal as special and would validate that the hinted CA only applied to that subdomain, and would only use that CA when connected to the corresponding network.
Or maybe the DHCP/RA could hint at keys to use to validate DNSSEC for the internal DNS server, and the CA cert could live in a well-known TXT record…
Then you could have all devices work with internal certs out of the box with no config. One can dream…