Hi, CA / PKI is completely broken; if you cannot run your own CA and apply it to all effected machines, then you are better off using letsencrypt. Now, given that many browsers get quite nasty with self-signed certificates, it is becoming less easy to use self-signed certs (even just for yourself). You can have up to 100 domains (including sub-domains) in the one certificate with letsencrypt. The domains included in a single cert can also be completely non-related to each other, but I prefer to keep them related myself (at least in some way). Certificates don't live for as long as a brought one, but that is actually a bonus. You can automatically schedule updates, but I prefer to do so manually. https://letsencrypt.org There are lots of guides available on the Internet. I use certificates for lots of domains and some of those being used for both web and email servers. I also now have a cert for my ejabberd setup, although Pidgin on Winblows doesn't have all the right upstream CAs that browsers do and therefore it fails to follow the chain fully and properly; therefore can't properly fully verify my cert by itself (I can verify it though myself). Anywhere that you might need a cert, you can almost certainly use one from letsencrypt. Michael wants me to do a talk at MLUG, but I'm not ready and I've got too many other things that I have to deal with. Perhaps I will end up doing a talk and sharing my scripts and methods for others. Kind Regards AndrewM