Thank you for comprehensive answer.
Not sure how many resources you have on your hand, but simple VM with certificate authority could be a solution - this way you will get self-signed certificate.
I do not remember anymore whether this was enough for "domain" only, but there should be a Valiable setup allowing for outside world also to recognize certificate.
Otherwise it could be interesting to consider $ for certificate from recognized RU authority. Should't be crazy expensive and might be financed as apart of some yearly collection to get this project going.
Anyway - I know it can work without it, but you never now.
Thanks again for all the good work!