In this situation I would recommend you use a public domain you control. For this example, I’ll refer to a single installation for the fictional MOAA, Museum of Awesome Art: moaa.yourdomain.tld
- Set up a simple webserver on the public Internet at moaa.yourdomain.tld
- Use the Let’s Encrypt client to obtain a certificate for moaa.yourdomain.tld
- Move the certificate and the public key to the private server on the MOAA LAN
- You can also use a higher security method we can discuss later with more steps
- Configure your capture portal to use moaa.yourdomain.tld as the internal address
- Your capture portal already acts as an authoritative DNS server, so this should be an available option, otherwise you can use unbound or dnsmasq
- Users connecting to your network get redirected to https://moaa.yourdomain.tld/ which serves a certificate for moaa.yourdomain.tld that is trusted by the users’ mobile devices