[ivanr]

My first question would be: do you really want to self-host? Google have a service that's affordable: https://cloud.google.com/certificate-authority-service AWS has a similar service but, the last time I checked, it wasn't as cheap [because of their minimum monthly cost].

If you really want to self-host, consider the open source step-ca https://smallstep.com/certificates/ If you want to do everything yourself and learn a fair amount about PKI, I provide step by step instructions in my (free) OpenSSL Cookbook: https://www.feistyduck.com/books/openssl-cookbook/

It's difficult to do it right and self-host :)