Hello Bart,
To be able to use letsencrypt as described in this post below and then forget about it afterwards is probably the best way for the user.
Keep in mind that certificates have an expiry date and must be renewed before that date or nothing works anymore.
Focus on that, I'll try to use letsencrypt to be recognized by the CAs loaded in the browsers.
I wonder if it works with Mac/Safari, which is always a little bit "different".