I followed the instructions here:
The fantastic Let’s Encrypt service lets you issue SSL/TLS certificates to devices without charge. It’s not everything you may want at the enterprise level, but for the professional in their home environment, it’s great. I wanted to replace the self-signed certificate on an HP printer I had, but it wasn’t an easy process. I’ve documented it here so it can be useful to others too. First, use certbot to generate your certificate. Run the command as follows:
certbot -d host.example.com --manual --preferred-challenges dns certonly
This will instruct you to add a TXT record to the DNS record for the host for authentication, after which you’ll receive your certificate. To convert this in to a PKCS#12 file, suitable for loading on to the printer, use the following command:
openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem
The .pfx file can then be uploaded to the printer and it’ll use it immediately.
Then I went to the printer control page and added the NTP pool to the Network Time Service area. Everything worked fine - I can now airprint from my iPhone or iPad directly. It's nice!