My first question would be: do you really want to self-host? Google have a service that's affordable: <a href="https://cloud.google.com/certificate-authority-service" rel="nofollow">https://cloud.google.com/certificate-authority-service</a> AWS has a similar service but, the last time I checked, it wasn't as cheap [because of their minimum monthly cost].<p>If you really want to self-host, consider the open source step-ca <a href="https://smallstep.com/certificates/" rel="nofollow">https://smallstep.com/certificates/</a> If you want to do everything yourself and learn a fair amount about PKI, I provide step by step instructions in my (free) OpenSSL Cookbook: <a href="https://www.feistyduck.com/books/openssl-cookbook/" rel="nofollow">https://www.feistyduck.com/books/openssl-cookbook/</a><p>It's difficult to do it right and self-host :)