We have dozens of internal management interfaces on our appliances that use self-signed certificates - ILO, DRAC, switch management, etc. These certificates display a warning in the browser, but their expiry or lack of trust does not break the service.
Our security manager wants to use valid internal certificates for these appliances and interfaces. Administrators only log on to these interfaces, not end-users. Most of the organisations I've worked with are fine with self-signed certificates for management interfaces.
What are the risks associated with using self-signed certificates on these management interfaces? Are there any NCSC, NIST or ISO best practices for this?