I would suggest getting a router that runs OpenWRT or OPNsense. That will let you configure anything you need to. It’s open source firmware so it will respect your privacy.
If you go with OPNsense, you will need separate access points since it runs on a PC. The Unifi access points work well for that.
I just add my CA to my devices and use self signed certificates for stuff on my LAN. I don’t want to go through all the trouble of using lets encrypt for something that’s not accessible from the internet.