Generally speaking, Let's Encrypt is a better solution than using a self-hosted certificate authority in 2020. For most users this is what I recommend.
Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet. Therefore, I run a certificate authority to sign x509 certificates for use internally as HSTS is implemented for the quay.net domain. This upshot of this configuration on the public domain is that in order to access HTTP resources on my internal subdomain I require trusted TLS certificates.
I'm in the process of deprecating this page and moving the actual configuration to a GitLab project rather than static notes. In the future this page will only contain specific information related to my local usage.
The GitLab project can be found here: The Quay X.509 Certificate Authority
Work in progress.
I publish the CA certificates and CRLs in the unlikely event that somebody outside my network might require them: