Wondering about intranet server certs

Running a corporate CA is very common solution. You push out the CA to your internal devices via whatever device management solution you use, or install manually during device setup.

There's plenty of solutions, from Microsoft's Active Directory Certificate Services, Redhat's identity management CA, Hashicorp's Vault, Smallstep's ACME-compatible CA, and plenty more. If you're in a cloud environment, there's solutions there too like AWS's Private CA product.

You can use public certificates to avoid needing an internal CA too. If your servers are managed via a configuration management tool of some sort, you can centrally handle issuing and distributing certificates - probably using the DNS authentication mechanism to request all the certs you need.

Self-signed certificates are always an option too, though that can be annoying for end-users who will have to trust them individually, and understand the warnings when they're replaced.

The main reason people don't want to use public certs internally is that all certificates are logged publicly, so it may reveal more than you'd like about your internal infrastructure. As well, it's an additional dependency on an outside party.