A self-signed SSL certificate does not provide reliable data protection from the browser to the server. By creating this certificate, you yourself are its witness, in contrast to the versions signed by trusted certificate authorities.
What is a self-signed SSL certificate?
Technically, such a certificate does not differ from the version signed by a trusted authority. The difference is in the signature certifying the certificate.
Self-signed versions are more often used for testing sites and applications. They are also created for small sites that do not make sense to attack from the side. Resources with high attendance, as well as collecting personal data of visitors, should be identified exclusively by trusted certificates.
You can create as many self-signed versions as you like. When loading pages of sites with such certificates, visitors will always see a message with similar content:
Such a warning scares people away. Most refuse to go to such a site, resulting in a drop in its attendance.
The conclusion here is one: to attract visitors, you must use trusted certificates signed by well-known centers. Their root certificates are available in every browser, which notifies the user about the reliability of data encryption.
What are self-signed SSL certificates?
They are created manually using special programs or libraries. For example, for Windows, you can use the OpenSSL cryptographic repository or PowerShell console. These tools generate SSL certificates, create public and private keys.
Creating a self-signed SSL certificate through OpenSSL involves using the following commands:
- out /home/devuser/cert/cert.crt – location of certificate location;
- newkey rsa: 2048 – automatic key creation if you don’t have one;
- req-x509 – request to generate a self-signed certificate;
- keyout /home/devuser/cert/mykey.key – request for key generation.
Then after entering the password, you need to describe the data on your server. To skip a specific parameter, leave the dot “.” At the end of the command line:
You can note in your browser that the generated certificate is secure. Then your device will not pop up a message about an unprotected connection. All other users will still receive such a message.
To create a self-signed SSL certificate in Windows using PowerShell, enter the following command in it:
New-SelfSignedCertificate -DnsName localhost -CertStoreLocation cert:\LocalMachine\My
This is the request to generate a self-signed certificate. Once created, you can move it to the trusted certificates folder on your computer. After that, the browser will stop issuing a notification about the lack of data encryption.
This is the self-signed SSL certificate on the Nginx server:
Where cert.crt is the public key, and cert.key is the secret key. The self-signed certificate on the Apache server looks like this:
Site.ru is the domain of the resource for which you are generating a certificate.
Advantages and disadvantages of self-signed SSL certificates
Pros of self-signed versions
- The ability to generate an infinite number of certificates.
- No signature fee.
- Speed of creation No need to wait for a response from a certification authority.
Disadvantages of self-signed certificates
- The risk of losing user data.
- Permanent warning about an unknown publisher.
- No guarantees that the data from the site will not fall into third hands.
- Lack of trust from people, because the site does not have a signature center sign icon.
- The appearance of errors in the design and display of the certificate, if it was created incorrectly.
Trusted centers issue different forms of certificates that differ in cost. The simplest means domain name authentication.
More expensive is issued after a full check of the data provided by the company. To the extent that they can check the contacts and documentation of the applicant.
After successful identification, the corresponding green icon with the center logo appears on the site. This factor greatly affects the trust of visitors to the site.
The similarity between a self-signed certificate and a trusted certificate ends in their technical part. A self-signed certificate creates encryption of data transmitted from the browser to the server.
However, this information is at risk of being seized by third parties and cannot be withdrawn. In addition, the site identified by a self-signed SSL certificate will always pop up a dangerous connection notification. This factor affects its attendance.
It is better to use self-written certificates on small sites, in tested applications or internal resources of small companies, where all employees know about unsafe connections. Commercial resources with high attendance should be identified exclusively by trusted certification authorities.