The security of SSL for GLPI is very low : the agent is installed with a certificate file (cacert.pem), and this certificate is the public certificate of web server. So it's really easy to get the certificate file.
So, you have 2 choice : use certificate (and a long duration certificate), or not use certificate. (I choose the second choice).
With a certificate, you have the problem of distribution of this certificate : if client certificate is not the same of web server, you can't execute an OCS package for changing certificate, and also, you can't change certificate too early ...
If you want really a certificate, you could use a long self-signed certificate : for agent, it's ok : there is no check of self-signed.
Also, you have a solid trick (but very unsecure) : write a small program to get public certificate and write to cacert.pem. (tips : try openssl)