Setting TLS using crd, self signed certs

Is there a way to generate a self signed certs on a dynamic basis that would have the CN of the HostSNI record?

Something like:

kind: IngressRouteTCP
  name: ingress-database-tls
    - db
  - match: HostSNI(`{{INGRESS_DOMAIN}}`)
    kind: Rule
    priority: 1
    - name: database-service
      port: 1433
  tls: {}


For most situations, to use self-signed certificates, your client would have to skip certificate validation, which includes the name check.

For this reason, having this automated from within traefik would not be very useful.

However, you can use a tool like pebble or boulder to create custom certificates with your own CA, dynamically:

Yes appreciate this is probably not a standard use case. However Traefik already happily generates self signed certs if no details are provided and tls is requested. Would is be feasible to extend the self signing to include the host name?