I have a Brother laser printer connected to my router via ethernet cable. Within the Brother configuration web portal, I did the following:

• disabled all wireless functionality on the printer
• disabled every protocol except for IPP and the nested AirPrint (the latter forces mDNS to be enabled)
• created a self-signed certificate and installed it on my Mac
• disabled port 80/HTTP, enabling only port 443/HTTPS

Since the Mac and Chrome can't verify the authenticity of the certificate I manually set the SSL and X.509 trust policies to Always Trust in Keychain Access.

The problems are:

1. Without AirPrint enabled, my Mac can find but can't add the printer. Attempts to manually add it result in failures to print.
2. With AirPrint, other Apple devices are able to find and use the printer WITHOUT NEEDING THE CERTIFICATE INSTALLED!
3. Even with the trust policies set on the cert, Chrome still thinks connections to the printer are Not Secure.

My goal is to have the printer secured so that only devices with the cert installed can access the printer.

With AirPrint, other Apple devices are able to find and use the printer WITHOUT NEEDING THE CERTIFICATE INSTALLED!

TLDR : AirPrint can probably simply use the provided TLS certificate for encryption without performing any trust checks

With mDNS your AirPrint printer will be discovered with a hostname brother-printer-model-number-xyz.local. or whatever printer name gets assigned as a hostname in the .local TLD.

That .local domain is a special use domain name, which is not resolvable in the global Domain Name System. Everybody can use the .local TLD within their own network.

One of the consequences is that there is no unique owner/operator of that domain. Since public Certificate Authorities can't identify an owner, they can't establish a chain of trust and CA's won't ever issue officially signed TLS certificates for the .local domain. (Similar to how you can't get an official CA to issue a certificate for "localhost".)

Since there can never be a "valid" or "trusted" certificate issued to printers and other devices that can be discovered via multicast DNS (mDNS) and zero-configuration networking (zeroconf) they will always have self-signed certificate.^{see footnote}

That can be dealt with in several possible ways I think.

One approach is to program your AirPrint driver to simply not care about trust, when the printer is discovered with .local hostname and supports a TLS certificate; then simply accept and use that for encryption, without checking if that certificate can actually be trusted. You won't have the additional security features that TLS can provide, but regardless your print jobs will still be encrypted in transit and protected from eavesdropping.

Even with the trust policies set on the cert, Chrome still thinks connections to the printer are Not Secure.

As far as I know Chrome uses it's own internal CA trust and doesn't use the Apple/OSX Keychain.

For instance my (HP) printer's self-signed certificate is included in my keychain. Safari will happily connect to the web interface of that printer and when checking the certificate properties displays:

Chrome

Chrome on the same Mac the other hand is still showing large danger signs:

_{Footnote: Technically when you operate your own internal CA, nothing prohibits you form issuing a signed certificate for the .local hosts in your network.}