Self signed just means you have to create and distribute a CA cert, and your platform has to support adding CA certs. AFAIK Chrome, Firefox, IE, Edge, and mobile browsers on Android and iOS can do this.
You generate a CA cert using a utility like xca and then create client certs signed by it. You can use signing requests if you don't want to know the password that protects the certs (in my scenario, I was fine with that).
You then export your client certs, with your CA cert included, and coordinate with people who need access to install the cert on their browser or OS.
Your users will get prompted to trust a new CA (as they should).
Combine with a webserver that supports routing requests based on certificate status, like nginx, and it's pretty neat. You can allow access to only those who have a cert signed by your CA.
I did this for the longest time before letsencrypt was a thing, and if letsencrypt goes away, I'll go back to it.
You generate a CA cert using a utility like xca and then create client certs signed by it. You can use signing requests if you don't want to know the password that protects the certs (in my scenario, I was fine with that).
You then export your client certs, with your CA cert included, and coordinate with people who need access to install the cert on their browser or OS.
Your users will get prompted to trust a new CA (as they should).
Combine with a webserver that supports routing requests based on certificate status, like nginx, and it's pretty neat. You can allow access to only those who have a cert signed by your CA.
I did this for the longest time before letsencrypt was a thing, and if letsencrypt goes away, I'll go back to it.