This has particularly become an issue since the big migration I have done at beginning of this year that also involved enforcement of HTTPS across all websites.
Given the wide-spread success of Let's Encrypt, a CA certificate that issues free (as in free beer) server certificates, I have decided to replace all of my website certificates.
Since Let's Encrypt provides server certificates via ACME protocol, one of the main decisions to make was to pick a suitable client. Although the recommended "default" is certbot <https://certbot.eff.org/>, I have decided to pick an alternative implementation implemented in shell - acme.sh.
Main reasons were that it has much less dependencies and satisfies my requirement to be able to issue certificates using the DNS challenge. As an additional plus, it supports integration with Linode API for deploying DNS challenge, reducing the amount of work I have to do.
Due to specifics on how I manage and store my automation scripts and data, I had to take care of some small scripting around it to make it work in my particular set-up, and to make it less tedious for regular use. This was not that much work, and it was a refreshing change to do some Bash scripting again.
As for the rest of services (things like XMPP, mail etc), Majic CA hierarchy will remain in place. The number of people that directly access those is much smaller (friends and family), so the hassle of getting the chain imported into clients is minimal. There is still some work to be done on the Majic CA hierarchy as well (the idea is to create a new one with modern algorithms, better security and different software packages), and this will be somewhat of a major undertaking. But more on that in future when I start the planning :)
To family and friends - just carry on as always. To everyone else - welcome to warning-free access to my pages ;)