What are self-signed SSL certificates and their disadvantages

Technically, this certificate functions the same as the authorized variants. What makes it different is the signature which verifies its identity.

Self-signed variants are mostly used for sites and applications under testing. They can also be applied to smaller websites that do not contain any valuable data under the possible risk of attack. Resources that have high traffiс or collect personal user data should be identified strictly by reliable certificates.

You can create unlimited self-signed certificate versions. However, site visitors will always receive warnings of this kind:

Such messages repel users. Most of the potential visitors will choose to stay away from unreliable sites that will result in significant traffic decrease.

The conclusion is evident: to attract visitors, you should apply only reliable certificates signed by popular authorized centers. Their root certificates are included in any browser that signals users about encryption security.

Self-signed certificates can be created manually using special programs and libraries. For example, there is Windows-supported software like OpenSSL software bank or PowerShell console. These tools allow generating SSL certificates, creating open and private keys.

Setting up a self-signed SSL certificate with OpenSSL imposes using the following commands:

out /home/devuser/cert/cert.crt — certificate location;
newkey rsa:2048 — automatic key development in case you do not have any;
req-x509 — self-signed certificate generating request;
keyout /home/devuser/cert/mykey.key — key generating request.

Having entered the password, you need to type in the description of your server. If you want to leave certain parameters blank - put a point mark «.» at the end of the command string:

In your browser, you may specify that the implied certificate is secure. Thus, you will avoid popping up of the "insecure connection" message on your device. Still, other users will keep on receiving this message.

Creating a self-signed certificate with PowerShell utility for Windows requires entering the following command:

This serves as a request for a self-signed certificate which then should be included in the folder containing reliable certificates. It will prevent the browser from reporting an encryption error.

This is how a self-signed certificate looks in Nginx server:

cert.crt stands for an open key, and cert.key means a private key.

In Apache server, self-signed certificate appears in the following way:

Site.ru stands for the domain where you intend to apply the generated certificate.

Reliable centers issue various certificate variants that differ in price. Basic certificates verify domain name identity. More expensive ones are submitted upon the profound inspection of company data received directly from applicants to the extent of contact information and documentation.

The green badge with centre logo will appear on your site when the identification is successfully completed. This factor remarkably encourages user trust.

Self-signed and trusted certificates possess identical technical characteristics. A self-signed SSL certificate executes encryption of the data that passes from your browser to the server.

However, this data is at risk of attack by third parties and cannot be recalled. Besides, web resources protected by self-signed certificates will keep on reporting an insecure connection which will negatively influence the traffic of the site.

The use of self-signed certificates is acceptable for tested resources and minor companies' websites provided that the staff is informed about the insecure connection matter. Commercial resources with high traffic should be identified only by reliable certification centers.

You can receive a free-of-charge certificate with a subscription that will function until you are ready to purchase the paid version. Read more about free certificates.