Signed vs. Self-signed Certificates

What is the Difference and How Should They Be Used

Lock your sites with SSL
Lock your sites with SSL. Image courtesy Pixabay

Security is a critically important factor in the success of any website. This is especially true for sites that need to collect PIA, or "personally identifiable information", from visitors. Think about a site that requires you to enter a social security number, or more commonly, an Ecommerce site that you need to add credit card info to in order to complete your purchase. On sites like these, security is not only expected from those visitors, it is essential to success.

When you're building an Ecommerce site, one of the first things you'll need to set up is a security certificate so that your server data will be secure. When you set this up, you have the option of creating a self-signed certificate or creating a certificate approved by a certificate authority. Let's take a look at the differences between these two approaches to website security certs.

Similarities Between Signed and Self-Signed Certificates

Whether you get your certificate signed by a certificate authority or sign it yourself, there is one thing that is exactly the same on both:

  • Both certificates will generate a site that cannot be read by third-parties. The data sent over an https connection or SSL, will be encrypted regardless of whether the certificate is signed or self-signed.

In other words, both types of certificates will encrypt the data to create a secure website. From a digital security perspective, this is step 1 of the process.

Why Would You Pay a Certificate Authority?

A certificate authority tells your customers that this server information has been verified by a trusted source, and not just the company who owns the website. Basically, there is a 3rd party company who has verified the security information.

The most commonly used Certificate Authority is Verisign.

Depending upon which CA is used, the domain is verified and a certificate is issued. Verisign and other trusted CAs will verify the existence of the business in question and the ownership of the domain to provide a bit more security that the site in question is legitimate.

The problem with using a self-signed certificate is that nearly every Web browser checks that an https connection is signed by a recognized CA. If the connection is self-signed, this will be flagged as potentially risky and error messages will pop up encouraging your customers to not trust the site, even if it is, indeed, secure.

When Can You Use a Self-Signed Certificate?

Since they provide the same protection, you can use a self-signed certificate anywhere you would use a signed certificate, but some places work better than others.

Self-signed certificates are great for testing servers. If you're creating a website that you need to test over an https connection, you don't have to pay for a signed certificate for that development site (which is likely to be an internal resource). You just need to tell your testers that their browser may pop warning messages.

You can also use self-signed certificates for situations that require privacy, but people might not be as concerned about.

For example:

  • Username and password forms
  • Collecting personal, but non-financial of PIA, information
  • On forms where the only users are people who know and trust you, like a company Intranet

What it comes down to is trust. When you use a self-signed certificate, you are saying to your customers "trust me - I am who I say I am." When you use a certificate signed by a CA, you are saying, "Trust me - Verisign agrees I am who I say I am."  If your site is open to the public and you are trying to do business with them, the later is a much stronger argument to make.

If You're Doing Ecommerce, You Need a Signed Certificate

It is possible your customers will forgive you a self-signed certificate if all they use it for is to login to your website, but if you're asking them to input their credit card or Paypal information, then you really need a signed certificate.

Most people trust the signed certificates and won't do business over an HTTPS server without one. So if you're trying to sell something on your website, invest in that certificate. It's part of the cost of doing business and being engaged in online selling.

Original article by Jennifer Krynin. Edited by Jeremy Girard on 3/2/17