Wouldn't say you *have* to bring in a CA for local dev... but it could certainly make things faster and "more prod like" to do so.

* You would need some directives to change your auth and make sure if "all works" locally without the mTLS I would think... or you could potentially just have your dev environment sign a cert for you to use for local development, and trust that dev CA.

* You'd likely want at a minimum different CAs per environment such that no cert would be valid for any environment except the one its intended for.

* You can go the full self signed cert route that's signed by your own "local" CA as well. Most of this can be scripted out, and is only needed like once for getting set up