So, I manage my server with docker containers (nginx-proxy and the letsencrypt-companion). I limit access to some subdomains using basic auth, but I want to use client certificates for convenience.

So my questions to the experts:
1) Do you know a good (and convenient) way to manage client certificates ? This should include revoking certs and allowing specific certs only for specific subdomains.
2) Should I use my letsencrypt CA for this or would a self signed CA better suited?
3) Any things I should be aware of?