All our internal services should be ssl-only. Because the domain we use for this is not used outside of our company, CAcert is the best and cheapest option.
To create a wildcard certificate CSR we used:
openssl req -newkey rsa:2048 -subj /CN=*.qax.io -nodes -keyout qax.io.key -out qax.io.csr
How to install CAcert to all your browsers look http://wiki.cacert.org/FAQ/BrowserClients
Tell us what you think about this. Is something unclear? Do you have questions or ideas? Leave your comments below.