All this is moot.
From version 56 of cPanel/WHM onwards, cPanel will generate a Comodo-backed SSL certificate for your server’s hostname. It won’t protect proxied service URLs such as webmail.*, cpanel.*, whm.*, etc. but it will allow you to access cPanel/WHM via a fully certified certificate.
From version 58 of cPanel/WHM onwards, every domain on your cPanel/WHM server is able to receive a free Comodo-backed SSL certificate – valid for 90 days, but is automatically regenerated by the system. It’s an alternative to Let’s Encrypt, support for which will be eventually be made available via an external plugin.