I am currently running two versions of certificates with one residing on a VPS server and one on the local server with ODK Central installed on a VM.
The VPS server is linked through VPN to another Ubuntu VM to provide access to my local servers including ODK Central.
So, I can access ODK Central either by resolving locally to the local IP address where the ODK central is installed or externally via the VPS public IP address linking back to the ODK Central by using Caddy.
Certificate wise, Caddy provides automatic renewal of Let's Encrypt SSL certificate which works if you are accessing outside the local network
Fortunately, I am running OPNsense (similar to PfSense) on my local network.
I simply issue a Let's Encrypt certificate for the same domain name that I use to resolve to Central externally on OPNsense. Then, I converted the issued certificates from OPNsense to the appropriate files and used the customssl guide by following this link.
For your case, I believe installing an open source firewall like PfSense can help you with managing the local servers. If your target is local access only then PfSense is an option because you can limit the outward facing interface to PfSense only which it can definitely generate the Let's Encrypt certificates.
The only downside to this approach is that you have to manually replace the certificates just before it expires during downtime of the ODK Central. If anyone knows of a better solution, I would gladly be open for any improvements to this approach.