Currently it may happen that expired certificates (from know and proper CA) are replaced with self-signed certificates which can cause issues when user wants to update "proper" certificate. We had #issue #913 which suggested regeneration of expired certificates. On the other hand we have #issue #1279 to add option disable such auto regeneration. What's more, with certificates stored in the database we probably should add a way to manage them (view and remove). When loading certificates from the repository we should make it in more smart way (i.e. avoid loading self-signed certificates if we had already loaded proper certificate)

After the discussion we settled on (both to be implemented as part #issue #1279):

1. if there is no certificate for the given VHost (for example after creating VHost and without providing own certificate) - generate self-signed certificate to facilitate connection (starttls is required)
2. if there is a certificate for the domain but is expired, re-generate the certificate but only in case of self signed certificate (to avoid overriding our own certificates; there is still expired one but regenerating self-signed in it's place would yield virtually same result for the end-user = notification that the certificate is incorrect; without replacing with self-signed we would at least know what was the original certificate and that it indeed expired)