I was in your boat once. I wanted all my local *Arr pages to have a pretty green check that meant I was doing the right things.

If you want to have local SSL you need to have an internal CA or you need to expose your network to the internet. I don't bother doing either, since it makes me less safe to expose anything to the internet if I don't have to, and I don't need an internal CA for anything else I'm doing, and it would be SO much more work just to see a green check mark that effectively means almost nothing in this scenario.

If you want to expose your services to the internet, use Cloudflare tunnels (free SSL, more secure than exposing your NPM to the internet). If you do not want to expose any services to the internet... just set up NPM without SSL, and know that the rest of the homelabists are doing the same thing.

Thats what I was thinking too, I was going to set up a ADCS on my domain controller but I dont think at this point I really need it.

This helped a lot, thank you for this one

I got this setup with nginx proxy manager. I used a wildcard certificate via nginx proxy manager and the DNS challenge + cloudflare api. Worked like a charm.

Oh cool alright I can do that then, seems simple enough. My only issue is that my local DNS has my domain .local and not .com. Should that matter too much for doing this?