What are Self-Signed Certificates?
A self-signed certificate is a digital certificate created by the same entity it is issued to. It establishes identity, but it does it with circular logic (“I am me because I said so”). It’s the cybersecurity equivalent of “Trust me, bro.”
That definition makes more sense when juxtaposed with its counterpart: What is a signed certificate?
A signed certificate, more accurately called a CA-signed certificate, is one that’s been issued by a publicly-trusted certificate authority (CA), lending its identity claims credence and establishing a trust chain. Other entities on the network (from your email inbox to a site on the internet) already trust the CA, and will extend that trust to the bearer of the signed certificate.
What is the difference between signed certificates and self-signed certificates? Broadly speaking, the answer is that signed certificates are trustworthy and self-signed certificates are not. But there are a couple types of signed certificates worth mentioning.
Public Certificate vs Private Certificate vs Self-Signed Certificate
A public certificate is an X.509 digital certificate that is issued by an external, publicly-trusted certificate authority (such as DigiCert or Let’sEncrypt) and is used to authenticate public services and external applications.
Public CAs are subject to rigorous compliance standards to ensure their identity and legitimacy and they extend that trust to any certificate they sign. That’s why buying a certificate from a public CA can be expensive – before they put their reputation on the line and vouch for your identity, they have to do their due diligence to establish the identity of the entity they are issuing a certificate for.
A private certificate is an X.509 digital certificate that is only used to authenticate users or devices within your internal network. A public CA could issue a private certificate, but it’s more common that they are generated in-house through a private CA as part of an internal public key infrastructure (PKI).
You might see private certs employed for something like S/MIME – email protection that verifies emails that claim to be sent from within your organization are legitimate and unaltered. Importantly, private certificates still offer a high degree of identity assurance and trust since they were generated by a proper PKI.
Self-signed certificates are very different from public and private certificates because they are not signed by a certificate authority and therefore provide no trust. Instead, they are signed with their own private key. This small difference makes them fundamentally unsuited for many common certificate applications, though not entirely without their uses.
Is a self-signed certificate valid?
Yes, a self-signed certificate is intrinsically valid because it is self-referential. Essentially, it asks the paradoxical question “Am I me?”, so the answer is always “yes”. If the answer is “no”, that’s an identity crisis and we can’t help you (though identity management crises are right up our alley, read this case study to see how we helped this company add identity context to their authentication).
There’s another way to interpret the question “is a self-signed certificate valid?”. An example might be “Is a self-signed certificate valid for SSL authentication?” To that, the answer is a definite no, but we’ll discuss that situation in more depth below.
Another question we often hear is: “Are self-signed certificates still encrypted?” That’s a bit of a misleading question because X.509 digital certificates are not themselves encrypted. You can quite easily inspect their contents and learn everything about them except for one thing – their private key.
Certificates are not encrypted because they are used as a tool to encrypt and decrypt other communication. At the risk of over-simplifying the wonderful and complex topic of asymmetric cryptography, anyone can use the public key of a certificate to encrypt a message that can only be decrypted by the corresponding private key (which only the holder of the certificate possesses, as it is part of the public-private key pair that forms the basis of X.509 certificates).
What’s wrong with self-signed certificates?
The disadvantages of a self-signed certificate are significant:
- They do not provide any trust value, so are mostly useless in establishing identity assurance.
- Self-signed certificates cannot be revoked. It could be “invalidated” by removing it from a whitelist, but that requires trusting it in the first place.
- They are not managed by a public key infrastructure (PKI), so they are very likely to be “lost” (especially since they can’t be revoked), creating a significant gap in your security perimeter.
If self-signed certificates are so risky, what is the point of a self-signed certificate?
When is it okay to use self-signed certs?
So, what are self-signed certificates used for then? There are 3 common use cases for self-signed certs:
- In the creation of a root Certificate Authority, the CA must sign its own certificate (this establishes the foundation of the trust chain).
- For internal-only authentication, such as a self-signed server certificate for validating emails were sent from within the organization.
- Generating a self-signed certificate for validation/experimentation in a test environment.
Should I trust a self-signed certificate? Only if you encounter it in one of the three scenarios listed above. Any other self-signed certificate you see floating around can’t be trusted because there’s no way to verify if it really represents the user or device it claims to be.
How to Create a Self-Signed Certificate
So now that you’re familiar with the advantages and disadvantages of self-signed certs, you might be thinking, “How do I get a self-signed certificate?” Generating one yourself is a good exercise to better appreciate the utility of X.509 certificate templates.
Here’s a simple script to get you started. You can generate a self-signed certificate by running Windows PowerShell as an admin and entering:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName “mysite.local” -Name “MySiteCert” -NotAfter (Get-Date).AddYears(1)
You should see something like this:
Congratulations, you’ve generated a self-signed certificate that is valid for 10 years. Inspect it by going searching for Manage Computer Certificates in the Windows Start menu, your certificate will be in the Personal > Certificates subfolder.
Note that if you inspect your new certificate, you’ll get a warning that it is untrusted. Your computer (rightfully) only trusts certificates issued by CAs in its Trusted Root CA Store, a pre-programmed list of trusted public CAs (for the most part, but that’s a conversation for an article about trust chains).
Self Signed Certificates are Risky
Should I use self-signed certificates? Outside of a few typical use cases, almost certainly not. Given the potential for exploitation by bad actors and the ease with which self-signed certs slip through the cracks, it’s a best practice to avoid them where possible.
Instead, embrace the multitude of security and user experience benefits that come from signed digital certificates! Use them for passwordless authentication to desktop, Wi-Fi, and other applications; use them for identity and device management; use them to thwart phishing and over-the-air attacks. SecureW2 has the tools and experience you need to implement a PKI for a comprehensive certificate management platform.
We have affordable options for organizations of every size, click here to see our pricing.
Self Signed Certificates FAQs
- Which certificate authority can issue a self-signed certificate?
- This is a trick question – you do not need a certificate authority to issue a self-signed certificate. Anyone can generate one and sign it using its own private key. You can even use a self-signed certificate to generate your own certificate authority (indeed, this is how all root CAs are made).
- Can you use a self-signed certificate with SSL?
- No. A public certificate is required for SSL. Most browsers will warn users away from sites without a valid SSL certificate.
- How do I fix a self-signed SSL certificate?
- The only fix for a self-signed SSL certificate is to replace it with a new SSL certificate issued by a trusted public CA. There’s no reason not to, as SSL certificates can be easily acquired for free. Most site hosts offer free SSL certificates to their customers, or you can grab one from a non-profit public CA like Let’sEncrypt.
- What is the difference between SSL and self-signed certificate?
- These aren’t really comparable, even though they’re often talked about in the same breath. SSL (Secure Socket Layer) is a security protocol that validates the identity of a website and established a secure connection to a client. A self-signed certificate is just that – an identity management key.
- What is the major risk when using self-signed certificate for a website?
- Using a self-signed certificate on a website (for SSL) confers no risk on the website. The SSL certificate only verifies the legitimacy of the website and enables a secure HTTPS connection for visitors, it’s not a vector of attack. However, search engines may not index your site and users will be warned against visiting, so if there is a risk, it is to your visibility.
- Is a self-signed certificate better than no certificate?
- As with many cybersecurity concepts, weak security is often worse than no security because it introduces easy attack vectors. A self-signed certificate should never be used in the place of a signed certificate outside of the few specific scenarios described above.
- What digital certificates are self-signed?
- The vast majority of certificates you might encounter on a day-to-day basis are either public certificates distributed by a public CA or are private certificates (also distributed by a trusted CA, either private or public).
- How do I know if a certificate is self-signed?
- This is an easy one. Inspect the properties of the certificate, and if the Issuer and the Subject have the same value, it means it signed itself. If they are different, it was signed by a CA.