And cert pinning in the browsers blows this out of the water, which is why I'm of two minds about it as a security feature. It seems that a lot of security these days is really about removing people's control over their own devices.
You can import an own root cert which will be honored. I work in a company where all internal servers have a certificate a non-public root has signed. Works both on Chrome and FF.