Self-signed certificate

From Wikipedia, the free encyclopedia
  (Redirected from Self signed certificate)
Jump to: navigation, search

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information).[1]

Security issues[edit]

CAs are third parties and require both parties to trust the CA.[citation needed] (CAs are typically large, impersonal enterprises and a high-value target for compromise.) If the parties know each other, trust each other to protect their private keys, and can confirm the accurate transfer of public keys (e.g. compare the hash out of band), then self-signed certificates may decrease overall risk. Self-signed certificate transactions may also present a far smaller attack surface.

Self-signed certificates cannot (by nature) be revoked,[2] which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. CAs on the other hand have the ability to revoke any compromised certificates they signed if alerted, which prevents its further use.

Some CAs can verify the identity of the person to whom they issue a certificate; for example the US military issues their Common Access Cards in person, with multiple forms of other ID, and only when a higher authority requires the issue.

Other issues[edit]

Cost Self-signed certificates can be created for free using a wide variety of tools including OpenSSL, Java's keytool, Adobe Reader, and Apple's Keychain. Certificates bought from major CAs often cost around a hundred dollars per year. In December 2015[3] Mozilla Foundation has launched Let's encrypt, which allows one to obtain a DV certificate gratis.

Speed to Deploy Self-signed certificates require the two parties to interact (e.g. to securely trade public keys). Using a CA requires only the CA and the certificate holder to interact; the holder of the public key can validate its authenticity with the CA's root certificate.

Customization Self-signed certificates are easier to customize, for example a larger key size, contained data, metadata, etc.

See also[edit]


  1. ^ PERLMAN, RADIA (1995). Network Security Private Communication in a PUBLIC World. Prentice Hall. p. 190. ISBN 0-13-061466-1. 
  2. ^
  3. ^ "Public Beta". Let's encrypt. Retrieved 2015-12-06.