I take it this means that if I want my server to act as a CA for other LAN devices, there had better be either (a) very few of them with well defined IPs, or (b) LAN devices accessed by host name + domain, and locally resolvable using local DNS, hosts file, or some other kind of local resolver?
Okay, so stepping back a minute, let me just say I know very little about the FreeNAS CA system other than to have observed it exists and appears to be able to set up a private and intermediate CA. I have, however, worked extensively with OpenSSL, and to a lesser extent Microsoft, and the principles are generally the same. I've done OpenSSL local CA designs for enterprise purposes where it is undesirable, impractical, or impossible to reasonably maintain certificates, due to location of a host (not Internet-reachable), security model, etc. You cover a lot of territory in a short question.
Certificates and DNS are not, despite the deceptive nature of "SAN: DNS," linked - you can do certs without the DNS protocol, using /etc/hosts or something else instead. When a name is referred to in a certificate SAN DNS field, it really means that the validating host will try to do a host lookup, typically a gethostbyname(3) variant, which in this modern era is implemented as DNS, but can also be implemented by /etc/hosts or YP/NIS or other more obscure technologies, and FreeBSD fully supports these. See nsswitch.conf(5) for more info on that.
You can create "local DNS" with a variety of tools and if you do so, and all your systems are configured to use that service, then yes, you can have "yourstuff.local" or something like that. And you can make certificates for that, and it'll work. You will not be able to generate LetsEncrypt certificates for something in a locally defined domain, so creating your own CA and loading those certs into your systems is the only practical solution.
If you decide to roll your own CA, you *can* generate a wildcard certificate for *.local, but this is a poor implementation. You are better off creating a CSR on each of your devices, signing it with your private CA, and getting a unique certificate per device. Ideally you also want to do this with a nailed-down IP, which lets you add the SAN:IP field. DHCP is kinda very evil for most things you'd want to install a server certificate on. This is the only practical way to generate hundreds of certificates and have the security mean anything.