This might help

https://blog.pishop.co.za/using-a-raspberry-pi-as-a-bluetooth-speaker-with-pipewire/

Your response clearly states publicly accessible DNS. A CA does not require anything public for local SSL and can work in conjunction with whatever service they want for that which is public.

public domain for internal services

I guess they need a CA then

https://smallstep.com/docs/step-ca/

https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/