I would never recommend you to use self-signed certificates - it’s hard to distributed them to every client, you can’t share files with other (as they don’t trust your cert). Best approach is to get public DNS and Letsencrypt TLS cert which trusted by all important clients from the beginning.
take a look at this discussion, I think it gives you a good starting point:
Search for “split brain dns”, “split horizon dns”, “rebind protection”