My boss refuses to allow private IP addresses into a public DNS definition. So I am unable to put the private SVN box IP (svn.ourcompany.com) into a .com DNS record. It exists only at svn.ourcompany.local
I don't mind this, ultimately, except when it comes to SSL.
Is there a popular (root CA cert pre-installed in all OSes) CA that signs .local certificate requests? It doesn't need to have any bells and whistles, no wild card, it can even cost a nominal fee.
I really don't want to go around and install a self-rolled root CA in every user's computer, and have to redo it when something changes. It's just annoying.
Your boss is smarter than you possibly think. Mapping a local address on a public DNS server does not make much sense.
You should better configure an internal DNS server (Bind works like a charm on a minimal Linux installation, or you can use the DNS facility of an AD domain controller if you're on Windows) and define a delegation zone for addresses hosted within your domain.
Speaking of SSL/TLS certificates, you can easily create and manage your own ones with the openssl command. If you feel more comfortable with a gui and you're working under Linux you can install a tool called TinyCA2.
A self-generated certificate is as good as a paid one in terms of cryptographic security, you could just receive some harmless alert from the svn client (or web browser) while connecting for the first time because the emitting authority (yourself) is not recognized as certified.
M
Firstly: the answer to the question as such has to be "no", simply because the .local TLD is not a public TLD and therefore clients would unable to trace this back to a root certificate.
However, as the others have pointed out, you can run a local DNS server. In fact, in our case we run internal DNS and external DNS on the same domain, but providing different results, depending on where the query comes from. And as soon as you run your internal network on a .com TLD, you can use certificates issued by any root CA.
Why not use a local DNS server that doesn't answer external requests, with an entry for your SVN server? Or does that violate the "public DNS definition" policy (which is absurd, if the host is not publicly resolvable)?
InstantSSL by Comodo appears to do intranet SSL certificates:
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html
By their own description, they are "issued to either a Full Server Name or a Private IP Address." I'd still recommend looking at establishing your own private certificate authority, but you can accomplish what you want.