1. On a corporate internet, you're probably in a position to deploy your own CA certificates. This is quite common.

2. Let's Encrypt will use an open protocol, so it should be OS-agnostic.

3. "Privileged Contexts" is being developed as a W3C working draft [1]. It's quite likely this won't be just a Mozilla-thing. Google has been fairly aggressive when it comes to pushing for more (and better) SSL as well (see SHA1 cert deprecation).

[1]: http://www.w3.org/TR/powerful-features/

I'm a person who actually deploys .net apps to internal IIS QA servers. If I want them to use HTTPS, I have to configure it. I don't know anything about my own CA certificates. I'm not saying it couldn't happen, but it's certainly easier to suggest just not using firefox if something isn't working.

So you handle deployment of apps inside a corporate network, and have no idea on how to manage you own CA?

How does you corporation handle actually important corporate sites that nobody must access?

It sound to my like your corp has some issues on this side.

I don't deal with public facing servers. You're right. We may have issues, but I don't know how it's handled.

...Why would a company need to run their own CA to do this?

How would you otherwise handle this? The only alternative I can think of: a split-horizon DNS sounds even more complex that having your own CA.

The other option is you can just install your self signed certs onto the client PCs via group policies.