> add the CA to your in-house browser/list of trusted CAs.

This is the hard part. Unless it's company hardware there is absolutely no way I am installing a new root cert on my machine.