@Edent variety of ways to solve this. Personally, I want to be my own local CA for my own network. So I would get an official domain name, say home.example, get a cert for it (eg letsencrypt) for my gateway device, but that cert would have the flag set that allows it to issue its own certs. I use that to issue CERTs die the devices on my network, all which get a dns name like temperature.home.example.

Lots of pieces would have to be made to work, but doable I think.