Comparing Self vs CA Signed SSL Certificate
When encrypting communications over HTTP, you need a certificate to implement the SSL protocol.
You can obtain a valid certificate by purchasing from a certificate authority (CA). Another option to get a certificate is to create a self-signed one. This type of certificate is not signed by any CA, but instead, is signed by the website's organization or their own software.
Between each certificate types, there are advantages and disadvantages compared to each other. First, let's discuss more about self signed certificates:
- One advantage that self-signed certificates have is the cost; they do not require any fees to be generated. In addition, you do not have to rely on a certificate authority to create the certificate.
- Self signed certificates have the same ciphers used by paid SSL certificates, meaning it will still encrypt and decrypt the data between communications. In addition, unlike CA certificates, renewal is not necessary or not needed for a while, since self signed certificates do not expire or last a lot longer than CA ones.
Although the advantages listed above for self signed certificate seem like an ideal choice, keep in mind there are issues for using it:
- Not trusted by browsers and external networks - Since the self signed certificate has not been digitally signed by a CA, other networks will not trust it. When an external client visits a website with a self signed certificate the browser will display a warning that the site is not trusted, or unsafe. This will make users feel uncomfortable and will likely leave the website since it appears to not be safe.
- Vulnerable to attacks - even if the certificate still uses the same ciphers to encrypt and decrypt data, it is still vulnerable to attacks. For example, an attacker can generate a self signed certificate, which is used for man in the middle attacks.
- Certificates from CA are trusted by external networks and browsers. When a user goes to a trusted website, the browser will let them know the site is secured, usually by displaying a green padlock next to the URL. This will welcomes and brings comfort to the users browsing the trusted website.
- Security - CA certificates are not vulnerable to the man in the middle attacks the self signed certificate has. CA certificates protect from sensitive information being leaked, such as social security, or credit card numbers.
CA Certificates also has disadvantages listed below:
- When you want to obtain a valid certificate from a CA, you will need to pay them to generate the file to you. Additional costs are involved for renewal.
- Since the CA has the certificates, you'll need to get in contact with your CA if you need to renew your certificate, or when you need further troubleshooting.
Which certificate should I use?
What type of certificate you use depends on your environment. For example, a self-signed certificate can be used in a internal (or intranet) environment, where none of the websites are external. This type of certificate is also good try out in a testing environment. Consider using a CA certificate when you need security and validation of your domains so that it can be trusted publicly.