I wouldn't mind if you offer tls certificates for the servers.
I used to run my own CA and add the CA to the clients, but sadly that
seems to be no longer an option for iPhone/Android (nor do I want the
hassle).
See certbot. It does the work with a free CA that is very widely trusted.
If you use Debian Jessie, you need to enable the backports repository, but it's simple enough to do after that, including automatic renewals every three months.