Interesting remark. Is the maximum lifetime of certificates something that will be enforced by browsers? Right now, I can easily generate a self-signed certificate of any duration: I just tried 100 years (using openssl), it works and is accepted by browsers (I tried recent versions of chrome and firefox).
For certificates on the general internet, where updates are easy, a maximum lifetime of 39 or 27 months makes sense. I my use case, it makes much less sense.
From what I gathered in a quick search, you are right: it should be possible (but not necessarily simple) to install my own CA as a user CA without root privileges. A user CA is not exactly the same as a system CA: for example, it requires a password for the screen lock, but okay, it comes close.
Still, I would strongly prefer to be able to use a standard tablet without special installation instructions. The installation of the root CA would be something my customers would have to do, not necessarily something I can do for them beforehand. The tutorials I could find don’t seem to be very simple, for example requiring a file to be copied to the root of the file system on the tablet without explaining how to do that.
A reference to a clear and simple tutorial would be very welcome.