wonder if it's just better to not deal with name constraints and self signed certs. lets encrypt issues certs for domains with dns validation.
so why wouldn't something like this work:
- designate sub domain for private network usage (ie, *.internal.example.dev)
- issue certificates using ACME compatible script/program (ie, lego) for devices (ie, dev1.internal.example.dev, dev2.internal.example.dev)
don't have to deal with adding self signed certs to trust stores on devices. don't have to deal with messiness of name constraints compatibilities across apps. just plain ole TLS