The article discusses how to set up TLS certificates for internal services without creating TLS issues for HTTP clients. It presents two approaches: using a top-level domain restricted by ICANN for private use or using a public apex domain with split-horizon DNS configuration. The author recommends the latter approach, which involves using a Web Access Firewall (WAF) to reject traffic that does not originate from the VPN. This setup allows for the use of public CA certificates, such as those from Let's Encrypt, and eliminates the need for self-signed certificates.