Reputation: 16288
About Self-Signed SSL
So I just found a tutorial about creating a self-signed certificate. So naturally, I followed it and created one. Then I proceed to my browser in order to access my server over HTTPS and a yellow warning appears from Google Chrome saying Certificate is not valid and Certificate is not trusted.
In order for every machine (not just development) to accept my SSL certificate (green color) do I HAVE to buy a certificate from VeriSign or similar, or is there any way they can check mine or similar in order not to spend money on it?
EDIT: Btw I'm not really sure if I need SSL encryption, I'm not doing e-commerce, just a POST login form which I don't want to be plain-text (thanks to wireshark)
Upvotes: 0
Views: 145
Answers (2)
Reputation: 1567
Yes, you absolutely do. If you don't have a valid CA that confirmed your identity in the real world, why should anyone trust you? Joe Hacker could issue a self-signed certificate to letmestealyourssn.com and claim that the site is totally secure and legit because he said it is. So no, the web won't take your word for it or install your certs.
But if you want a real SSL certificate without spending money on it, there is StartSSL, and if you're willing to spend some money eventually, after you're done fine-tuning your site, there's Comodo which offers a 90 day trial. Both will require you to somehow identify yourself in the real world, but you'll get a genuine SSL certificate and browsers will show that green bar you want them to show.
WORD OF CAUTION: CAs do get hacked sometimes and their certificates can get blacklisted, so be very aware of not simply grabbing the cheapest SSL if you want people to trust your site. There are mitigation procedures in place if this happens, but the smaller and less experienced or invested the CA, the slower they'll be implemented, if at all. StartSSL got hacked in 2011 but the hackers were unable to issue fake certs so they're still OK to use for general purposes. For genuine e-commerce though, I highly suggest VeriSign. You'll make that money back and have fewer headaches.
Upvotes: 1
Reputation: 13922
It's not valid because the user has to have the root certificate installed that signed your cert (your CA's root cert). You could have the user install your root cert but that defeats the whole point of the "do I trust you" thing.
The reason companies sell the certificates when they're so easy to generate, is most machines come with the big name root certificates already installed. Then they have to maintain the integrity of that root; plus for a fee they will go a step further to even verify who's buying the cert.
Upvotes: 0
Related Questions
- How to create a trusted self signed SSL certificate
- Self Signed Certificates in Earthly
- SSL: Understanding self-signed-certificates
- Self-signed certificates and HTTPS Error
- What's means of Self-Signed Certificate in OpenSSL
- How SSL works in case of self signed certificates in Java
- SSL Self Signed Certificate Error
- Understanding SSL: Self-signed vs Certified
- How to create a self signed certificate using SelfSSL
- SSL self signed certificates