I've always just used self-signed certificates. On first connect, the client will ask the user to trust your CA. There's no real difference in terms of security.