(12 votes, average: 4.33 out of 5)
There are plenty of great do-it-yourself projects out there. You could re-sod your lawn. You could paint your own living room. You could even restore a 1957 Chevy Bel Air.
But when it comes to SSL Certificates, particularly signing them, don’t do it yourself.
To answer this question requires a basic understanding of SSL certificates. There are really two parts to SSL/TLS. There’s the protocol for encryption, which we colloquially call SSL (Split Sockets Level) but is really TLS (Transit Level Security). SSL was the original encryption protocol. It has since been replaced. People still call it SSL. We’re getting side-tracked.
The other part of SSL/TLS is the authentication. For this conversation, authentication is really what’s important. When you apply for a certificate, the Certificate Authority is going to vet you. Depending on the level of certificate being applied for, this may require as little as proving you own a domain, or it could be much more comprehensive.
The reason for this is that the Certificate Authority is going to be signing a certificate on your behalf which essentially vouches for your identity so that when browsers visit your website, they can display to the person using the browser who you are.
Let’s be clear about something right up front, the browsers do not trust you. Period.
It may seem harsh but it’s just a fact, browsers’ jobs are to surf the internet while protecting their users and that requires them to be skeptical of everyone or everything. The browsers do, however, trust a small set of recognized Certificate Authorities. This is because those CA’s follow certain guidelines, make available certain information are regular partners with the browsers. There’s even a forum, called the CA/B forum, where the CA’s and Browsers meet to discuss baseline requirements and new rules that all CA’s must abide to continue being recognized.
It’s highly regulated.
And you are not a part of the CA/B forum.
When a CA signs your certificate, they’ve vetted you to the degree they are required to and are vouching for your identity. The browsers in turn will trust the CA, which can be penalized for mis-issuing SSL certificates, that you are who you say you are and will allow visitors to begin encrypted communication with your website sans any sort of security warning or pop-ups.
If you self-sign your SSL certificate your website’s visitors, which if you run an e-commerce site are your customers, are going to get blasted with a security warning by their browsers as soon as they attempt to reach your site.
Your site will attempt what is called the SSL handshake, a procedure wherein the webserver your site is hosted on communicates with the computer the visitor is browsing on about establishing a secure connection. Had you gotten a certificate signed a recognized CA the browser would acquiesce and the handshake would occur unabated.
But you didn’t get your certificate signed by a recognized CA, you signed it yourself. So instead the browser is going to pipe up, in the interest of protecting the user, and essentially say, “hey, we don’t have any idea who this guy is. Are you sure you want to initiate an encrypted connection with an unknown party? Because your information could be going to literally anyone, we have no idea.”
It will do this in the form of a warning that looks like this:
Or maybe this:
Obviously this is going to be a nightmare if you’re running an e-commerce business, and even if you’re not, it’s still one heck of a headache. That warning is going to dissuade a substantial number of visitors from clicking through to your site. That means fewer conversions, less traffic.
All because you self-signed.
Large organizations are a constant target for advanced attackers – but so are smaller companies – which makes security a major priority. Research shows 71% of online shoppers rely on online stores to protect their credentials. So the responsibility falls on your organization to ensure optimal protection for your customers. By securing the privacy of your customers, you will secure the life of your business.
After all, your brand is all you have in the e-commerce world. Anything that damages that brand, from data breaches to online browser warnings, damages your bottom business. So give your customers the ultimate sense of safety—don’t self-sign your SSL certificate.