this machine is now using a StartCom SSL certificate.
This also meant that I needed to choose a certificate authority (CA) that is recognised out of the box by most browsers.
side note: of course I still use CA cert, just like I sign certificates for home machines only I use. Although, when signing your own, you might find certmaster or mpoole’s clica more straightforward than operating openssl directly.
StartCom were recommended for my use case of a private site. For now I’m using a free certificate, but if my experience with them remains this pleasant, I’ll probably not even blink and just cough up the dough when I need a feature they do not have in the free cert.
I followed up with a config cleanup round. I can warmly recommend the check tool and the good documentation from the fine folk at SSL Labs. Do tell if you see any http oddness on my site.
Kudos to the security folk at work for documentation, recommendations and help.