This is a great step, but I wish browsers would allow you to set domains that are considered to be secure origins in all cases. I have a decent intranet with transport security guaranteed by VPN, but because it isn't "HTTPS" I can't access tons of browser features.
I've set up internal CA using minica [0] and trusted that CA in Chrome and Firefox with success. Each host got it's own key, and I'm not even using proper DNS server - I use Avahi, so all of my hosts are available as somehostname.local on all clients with Avahi/Bonjour installed.