Module Signing and Secure Boot

I’m building a new device driver and use a Symantec EV certificate to sign the driver and installer for the Windows environment. However, it’s unclear what the proper procedure is for the RHEL environment. I understand and perform self-signing during development using the steps listed in the Admin Guide but what is the standard signing practice when publishing a third-party kernel module for RHEL customers? Your experience or insight is appreciated.
1) Is self-signing my only option?
2) DKMS looks like a nice solution for kernel modules. Do you offer both DKMS (results in unsigned ko) and signed modules to the RHEL customers?
3) Is there an acceptable method to eliminate the “tainting kernel” message for a signed third-party kernel module?
4) For the case when the RHEL customer is using Secure Boot, must I provide customer instructions for importing the public key associated with the third-party kernel module into the Authorized Signature database, or is there some way to map (cross-cert) to the default Red Hat key? (note: my uefi option-rom is in the process of being signed by Microsoft....hopefully)