tl;dr: generate dynamic certificates on the fly with nginx.
Leveraging OpenResty to generate certificates on demand, which follows fairly direct pattern:
- Generate private key
- Generate signing request ( CSR )
- Sign the CSR with a CA
- Use the new key
A little bit of Lua inside Nginx goes a surprisingly long way.