It is always good practice to set up certificates everywhere. I do it for all of my internal services. Each person has a different level of care for how important privacy and security are and some people have abnormal threat profiles.
With that being said, options are usually to run self signed certificates, roll your own certificate authority for your network, or get valid certificates from a service like letsencrypt.
As an offensive security worker… I can’t help but read people listing out their attack surface 😂