What is a self signed certificate? Advantages and disadvantages of self signed SSL certificates?

Self signed certificates can refer to many different types of certificates , Include SSL/TLS certificate 、S/MIME certificate 、 Code signing certificate, etc , The most common type of certificate is self signed SSL certificate . And CA Issued by the SSL Certificates are different , Self signed certificates usually refer to those that have not been verified by a third party , Upload directly to the private public key infrastructure (PKI) Certificate file for .

What is self signature SSL certificate ？

Self signed certificates are signed by untrusted CA A digital certificate issued by an organization , That is, the certificate issued by yourself . With trusted CA The traditional digital certificates issued are different , Self signed certificates are created by companies or software developers 、 Issued and signed . Although self signed certificates are used with X.509 The same encryption key pair architecture as the certificate , But there is a lack of trusted third parties （ Such as Sectigo） Validation of the . The lack of independent validation during the issuance process creates additional risks , That's why for public facing websites and Applications , Self signed certificates are not secure .

What are the advantages of self signed certificates ？

Although using self signed certificates is risky , But it also has its uses .

• free . Self signed certificates are provided free of charge , Any developer can apply .
• Issued at any time . Self signed certificates can be issued anytime, anywhere , You don't have to wait for verification and issuance by a third-party certification authority .
• encryption . Self signed SSL Certificate use and other paid SSL/TLS The certificate encrypts the transmitted data in the same way .
• convenient . Self signed certificates do not expire or need to be renewed after a period of time , but CA The certificate issued will expire after a period of time , You need to renew .

Although self signed certificates seem convenient , But this is also one of the main problems of these certificates , Because they cannot meet the requirements of security updates for discovered vulnerabilities , Nor can it meet the certificate agility required by modern enterprise security . therefore , Few people use self signatures SSL certificate . Besides , A self signed certificate cannot be revoked , If the certificate is forgotten or retained on a system open to malicious actors , It will expose the encryption method used . Unfortunately , even so , some IT The Department believes that , The cost of certificates issued by certification authorities exceeds the risk of reducing additional authentication and vulnerability support .

What's wrong with the self signed certificate ？

1、 Not trusted by browser , Easy to lose users .
Whenever a user visits a site that uses a self signed certificate , They will receive “ unsafe ” Warning , Display such as “error_self_signed_cert” or “err_cert_authority_invalid” Or something like that , Ask users to confirm that they are willing to take the risk and continue browsing . These warnings will bring fear and anxiety to website visitors , Users will think that the website has been invaded , Unable to protect their data , Finally, choose to give up browsing the site and visit competitor websites that do not prompt security warnings . in addition , Self signed certificate not trusted by browser , The address bar does not show security locks and HTTPS Protocol header . The following figure for SSL The status of the certificate in the browser address bar is displayed , Self signed on the left SSL certificate , On the right is the trusted CA Issued by the SSL certificate ：

2、 unsafe .
Since self signed certificates support very long validity , Therefore, it is impossible to update security after discovering new vulnerabilities , Vulnerable to man in the middle attacks . Self signed SSL Certificate has no revocation list to access , It is also easy to be forged by hackers 、 Fake websites use , Can't meet the current security policy , There are many unsafe hidden dangers .

Can enterprises use self signed certificates ？

As mentioned earlier , Using self signed certificates brings many risks , In particular, the risk of using self signed certificates on public sites is greater . For websites dealing with any personal sensitive information , Including health 、 Information such as tax or financial records , Never use a self signed certificate . Data leakage like this will damage users' trust in the brand , It will also be punished by privacy regulations , Damage the economic interests of the enterprise .

Many people believe that there is no risk in deploying self signed certificates in the company's internal employee portal or communication site , But that's not the case . Because using self signed certificates at these sites will still cause browser security warnings . Although these warnings can be ignored , But it inadvertently encourages employees to ignore safety warnings . This behavior may make enterprises face greater risks in the future .

Although we do not recommend enterprises to use self signed certificates , But it's not useless . Generally speaking , Self signed certificates can be used in internal test environments or to restrict access by external personnel Web The server .

How to create a self signed certificate ？

Although self signed certificates have certain security risks , But it has its advantages , Here's how to create a self signed certificate . Actually , Create a self signature SSL The certificate is simple , It depends on your server environment , Such as Apache or Linux The server . The method is as follows ：

1、 Generate private key
To create a SSL certificate , Private key and certificate signing request required （CSR）. You can use some build tools or add to CA Request to generate private key , The private key is used RSA and ECC The encryption key generated by the algorithm . Generate RSA Code example of private key ：openssl genrsa -aes256 -out servername.pass.key 4096, The command then prompts you for a password .

2、 Generate CSR
After the private key is generated , Your private key file will now be used as servername.key Save in your current directory , And will be used to generate CSR. Self signed certificate CSR Code example of ：openssl req -nodes -new -key servername.key -out servername.csr. Then you need to enter a few pieces of information , Including organization 、 Organizational unit 、 Country 、 region 、 City and common name . A common name is a domain name or IP Address .

After entering this information ,servername.csr The file will be located in the current directory , It includes servername.key Private key file .

3、 Issue certificate
Last , Use server.key（ Private key file ） and server.csr File to generate a new certificate （.crt）. The following is an example of a command to generate a new certificate ：openssl x509 -req -sha256 -days 365 -in servername.csr -signkey servername.key -out servername.crt. Last , Find... In your current directory servername.crt File can .

The method of creating a self signed certificate is simple , No third party verification is required . therefore , It can be used in an internal test environment , However, it is not recommended that enterprises use . Enterprises or organizations should choose to be trusted CA Issued by the SSL certificate , Ruicheng information Provide Digicert、Sectigo、Globalsign And the world's most trusted CA Issued by the agency SSL certificate , These certificates can help you avoid user churn 、 Security risks such as data leakage and man in the middle attack . Never spend big money to save small money , Have a long-term perspective , To get long-term benefits ！