Ah ok. I think I get it now. Very funny analogy by the way.
I assume for the new domain that we add to Protocols -> Domains, we should select "Require TLS encryption and verify certificate" under the Delivery tab. All our other domains in there have "Require TLS encryption and don't verify certificate."
That's why we are under the impression the current cert is self signed. We're having trouble determining if it is or not. There's not much information given under Administration -> Certificates.