Hi,
CA / PKI is completely broken; if you cannot run your own CA and apply
it to all effected machines, then you are better off using letsencrypt.
Now, given that many browsers get quite nasty with self-signed
certificates, it is becoming less easy to use self-signed certs (even
just for yourself).
You can have up to 100 domains (including sub-domains) in the one
certificate with letsencrypt. The domains included in a single cert can
also be completely non-related to each other, but I prefer to keep them
related myself (at least in some way). Certificates don't live for as
long as a brought one, but that is actually a bonus. You can
automatically schedule updates, but I prefer to do so manually.
https://letsencrypt.org
There are lots of guides available on the Internet.
I use certificates for lots of domains and some of those being used for
both web and email servers. I also now have a cert for my ejabberd
setup, although Pidgin on Winblows doesn't have all the right upstream
CAs that browsers do and therefore it fails to follow the chain fully
and properly; therefore can't properly fully verify my cert by itself (I
can verify it though myself). Anywhere that you might need a cert, you
can almost certainly use one from letsencrypt.
Michael wants me to do a talk at MLUG, but I'm not ready and I've got
too many other things that I have to deal with. Perhaps I will end up
doing a talk and sharing my scripts and methods for others.
Kind Regards
AndrewM