>This CA has some restrictions though: it can only issue certificates for subdomains of lcl.host and localhost, but that’s all you need for local development.

This sound like a security feature, not (just) an annoying restriction. Though an attack model for a local CA is a bit flimsy.