Personally, I use a custom local CA with name constraints so that it can only sign domains for The .internal TLD. This is the most important bit: because if the cert is ever leaked, it cannot be used to MITM connections to other domains.
I have to secure the CA's key, but I also have to secure all the keys for the certificate it signs, both being a similar level of challenge.
For personal use, or for very small organisations, using a passphrase-protected Yubikey as a "cheap HSM" should suffice.
Yubi makes an 'actual' HSM product:
* https://www.yubico.com/products/hardware-security-module/
See also perhaps less expensive option:
* https://shop.nitrokey.com/shop/nkhs2-nitrokey-hsm-2-7
I am planning on fiddling with using the TPM of an old dell 5820 I've got floating around my house as a budget HSM.
It looks possible, on paper, if you don't poke at it too often.