From now on I use TLS certificates by Let’s Encrypt for all my services (web, e-mail, XMPP etc.).
This is not a classic certification authority (CA) but an initiative which was originally founded by Mozilla, the EFF and the University of Michigan and is now provided by the Internet Security Research Group (ISRG). The goal of Let’s Encrypt is it to provide encryption everywhere by offering the required certificates for free. Since April 2016 Let’s Encrypt is not beta any longer but officially in operation.
To use Let’s Encrypt a client is required which renews the certificates via the “ACME” protocol on a regular basis as the certificates are only valid for three months. For this I use the shell script getssl with which you can automate the process very easy. This script will be executed with a cron job once a day to check the age of certificates and renew them. It will also tell the affected services to reload their configuration or restart the affected services if required.