The other option I was looking into was acme.sh, but I haven’t given it a go yet. My thinking was that I could possibly use that to generate a wildcard cert every x days via a cronjob and then push the cert out via SCP, etc. using another script to all the odds and ends that might need a certificate (e.g., wireless access points). It’s just a thought bubble at the moment, but that same workflow may suit @jdownie’s Kubernetes certificates - generate a wildcard cert and then push that certificate out.
Possible that I’ll go down both paths - Caddy to reverse proxy some publicly accessible things with individual certificates, and acme.sh to generate a wildcard certificate exclusively for use by network hardware/infrastructure type devices. I rely on Cloudflare for the public stuff at the moment (both certs and their free WAF), but this Caddy WAF project looks interesting and I may be able to move to something self-hosted instead. If/when I get that far I’ll update this thread with any Caddy rollout details and the certificate management thread with the certificate management side of things.