I just added a CA signed certificate from letsencrypt.
This site is really helpful (note - google translate messes up the commands):
Also basic instructions from here:
You need to have your own domain e.g. emby.mydomain.com, and have DNS configured to point to emby servers external IP. (inc use of DDNS service to do this. I use dnsomatic and cloudflare DNS)
You need to have port 443 open on your router and port mapped to your emby servers IP.
(This is because letsencrypt certification issuing process calls back to your server to ensure you own the domain)
git clone https://github.com/certbot/certbot
./certbot-auto certonly --standalone -d emby.domain.com
sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx
1) Because certbot spawns a root owned process, permissions for /etc/letsencrypt dirs have root-only permissions so you may need to adjust permissions)
2) When openssl asks for password pass none (enter)
Finally configure emby to use certificate at path /etc/letsencrypt/live/emby.domain.com/emby.pfx
letsencrypt certificates are valid for 3 months, so this needs to be repeated every 3 months.