One of the better options is to own an actual (public) domain name and put all your local stuff behind a subdomain (like local.example.com or internal.example.com or corp.example.com. A more concrete example: web1.local.example.com). You can make it so these are only resolvable in your local network.
In such a scenario you would be able to issue a publicly trusted certificate for any subdomain, by using e.g. DNS-01 method.