You mentioned a book though… Now i’m curious ;-)

The reason i chose Step CA over openSSL is because with step CA you can automate certificate renewal without any manual intervention. I don’t know how that would work with openSSL except some heavy scripting?

If you want everything on your local lan to have SSL, look into Step CA. Its not completely beginners friendly, but if you’re serious about selfhosting you will manage to set it up :) Caddy works with it also, and their examples are very helpful.

Which issues are you referring to?

Using port 2222 may not prevent any real hackers from discovering it, but it sure does prevent a lot of them scripttkiddie attacks that use automated software.

With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.

If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.