If you are already maintaining a CA for any other reasons then use that or the same process to maintain another, otherwise the second option is probably the path of least extra work/cost.