Okay, so screw the “public/private” nonsense then. Thanks for clearing that up.
You have TLDs that are reserved for internal/local use by the RFC which I stated above. Having an optional local CA (as an opt-in) signed by intermediary CA like LE, or Symantec would not require any additional “self-signed root CA” and “CA” key deployment. And it would be secure by default, if a dev would use it.
I mean, the local CA would sign certificates only for these specific TLDs.
It would be a much less pain in the butt…