As a general rule of thumb, if people will be accessing a website that utilizes a login, you should use transport layer security (TLS). While certificate pinning can provide a significant level of security, the standard method is to use a 3rd party CA to sign those certificates. While most users may never connect to the admin port (REST API), if you already have a certificate for the web port, why not re-use it?
To be more specific, at work we utilize an agreement to obtain certificate through a deal with InCommon. When we download a certificate, there is the root certificate, an intermediate certificate, and finally our servers certificate.