used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
Yeah from a quick search looks like at least GoDaddy and Digicert offered them.
Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.
Damn, that's a major security hole! So I could go get a cert issued for a domain someone else used and there had to be zero verification since.... there was nothing to verify!