Can I use a self signed cert if I'm only using my https as a REST endpoint?

Question

Maybe I'm a little confused on why we need a cert that is signed, but I'm thinking it is only needed if you want to make sure you are connecting to the REAL www.paypal.com and your browser would indicate that it is valid.

However, if I have a mobile app that only gets/put/post etc on the end point, is using a self signed cert sufficient?

Answer 1

That depends. If your app is a HTML/CSS/JS app running in a browser then the users of that app are going to be told that your site is not trusted as it is serving up a certificate that the platform can not trace back to a root certificate authority.

You would need to install a root CA on the device in order to make the device's browser trust your server's cert. That's not something users are used to doing. See https://jamielinux.com/docs/openssl-certificate-authority/index.html for how to generate CA certs as well as certs for your server and browser.

If you app is a native app making HTTP requests then you will have to handle the fact that the platform does not trust your server's cert. Typically this is done when you try to initiate the connection and the SSL handshake 'fails'. You can tell the platform to continue on silently even though the cert is not trusted.

Basic rule of thumb I guess would be if only a limited number of people will be using the app (company internal for instance) self signed is Ok but if your app is going to be used by the public in general you really should have a cert that's signed by a CA your platform trusts.

Answer 2

Only if you embed the public key in the app (certificate pinning).

Otherwise, you can't tell the difference between your self-signed cert and an attacker's self-signed cert.