Support Self-signed Certificate
In order to support automated deployment with unrelated domain name(TLDs), we would need to support using self-signed or otherwise non-webpki certificate. This would be equivalent to the functionality of pinnedPeerCertificateChainSha256 and allowInsecureIfPinnedPeerCertificate in TLS Security Setting . Pin certificate would allow certificate be verified by their self-signed certificate, instead of utilizing standardized web pki(traditional CA models). This has adverse consequence for probe resistance and only recommended for dynamic proxies.
Supporting Self-signed certificate is necessary, as valid DNS TLD cannot be obtained and decommissioned as bill by hourly usage model, therefore, no valid certificate can be generated with the current dynamic bridge model without additional cost.