Comment by infogulch

I want to give every device its own certificate to authenticate it with others via headscale to facilitate web development collaboration and authenticate remote management. I want to have a lightweight forward proxy in a semi-trusted remote VPS to proxy email at a particular domain down to my local mail server. I want to delegate maintenance of some application to a particular department. I want microservices run by different teams to communicate via authenticated TLS. I want to run web services in my mars data center without wasting precious bandwidth on thousands of redundant ACME requests. Etc, etc, etc.

In all of these cases it would be idiotic to distribute the same wildcard cert to each host. And please don't say "you just shouldn't want to do that".