Self-signed certificates are widely used for testing/development and sometimes in production for internal websites.
Self-signed certificates are created without any CA, thus they don’t have a parent. The issuer is also the subject of the certificate.
In general, the use of self-signed certificates must be discouraged as they present an inherent security risk. For example, there is no way to revoke a self-signed cert. Using an internal CA for issuing all internal certificates is a much better option, we will cover it in a future post. It is also difficult to manage self-signed certificates — imagine refreshing trust stores of all client components when a self-signed cert is extended.
Self-signed certs come at a substantial maintenance cost — issuing a cert for a long period of time is insecure, but the short validity adds to the certificate renewal/distribution overhead.
The following best practices will help to make self-signed and internally-issued certificates more secure:
Read the rest of this post »