Self Signed Certificate vs CA Certificate — Which One’s Right for Me?

We get asked a lot about a self signed certificate vs CA signed certificate — specifically why you can’t just sign your own SSL certificates and avoid working through the certificate authorities (CAs).

So, let’s talk about why that is. But, first, let’s pose a rhetorical question. If you got pulled over and handed the police officer a driver’s license that you created yourself, would he accept that as official?

No? It’s more likely that you’d like find yourself in the back seat of his car, heading to the local police station.

SSL Certificate: Self Signed vs CA

CA Signed SSL Certificates

Ok, now let’s talk about SSL certificates. SSL certificates serve two functions primarily:

1. they facilitate encryption, which is what they get the most press for; and
2. they can also authenticate the identity of the certificate’s owner.

That second part is why you can’t (or, at least, shouldn’t) self-sign your own certificate.

When you purchase a CA signed certificate, you’re required to undergo a validation process that confirms key identifying information. At the domain validation (DV) level you’re simply proving control over a domain. As you go higher, you get into business authentication, which requires even more information to be verified.

This is done for a very specific reason: as soon as the CA signs that certificate, it’s trusted by every browser or device that trusts the CA. These certificate authorities are required to undergo regular audits and must comply with a strict set of guidelines to be trusted. But as a result of that compliance, any information contained in a certificate signed by that CA is viewed as valid and trustworthy.

When a client arrives at a website with an organization validation (OV) or extended validation (EV) certificate, provided the certificate was properly signed by a CA, it will accept all of the information contained in the certificate as valid.

Self-Signed SSL Certificates

Now, when you sign a certificate yourself, you’re not performing the requisite validation. In fact, even if you did, you can’t validate yourself. There’s no trusted third-party entity involved with that issuance that can vouch for the accuracy of the information contained in the certificate.

Keep in mind, the browsers have been designed not to trust by default. They don’t trust you. They only trust the CAs. Now, if a CA vouches for you by signing your certificate, the browsers will extend that trust to you. But without a trust entity authenticating you, the browsers don’t trust you.

Ergo, any self-signed certificate you try to put on a public-facing website is going to be distrusted and will generate a browser error for any user trying to connect with your website.

Ok, So Why Use Self-Signed Certificates?

Self-signed certificates are great for testing environments and non-public networks. There’s certainly a use case for them. But they don’t belong on the public internet. An SSL certificate can’t authenticate anything if proper validation wasn’t performed by a trusted CA. You’re not a trusted CA. So, don’t use self-signed certificates unless you’re only going to use it inside your own network.

This is why in the debate about a self signed certificate vs CA signed one, we always talk about the importance of buying a commercial SSL certificate from a trusted certificate authority. At ComodoSSLStore.com, we offer the best prices on SSL certificates from Comodo CA brands like PositiveSSL, InstantSSL, EssentialSSL, and EnterpriseSSL. See for yourself why millions trust Comodo CA.