A self-signed certificate is an identity certificate that is signed by the same person or organization whose identity it certifies. It is a certificate that is signed with its own private key.
What’s the difference between a certificate issued by a Certificate Authority and a self-signed certificate?
A Certificate Authority (CA) issues a digital certificate that verifies the ownership of a public key by the named subject of the certificate. The CA is a trusted third party, trusted by both the subject (who asked to be verified) and the person doing business with the subject (who relies on the validity of the certificate).
When is it okay to use self-signed certificates?
When you’re sure that self-signed certificates are accounted for and under management, they can be used on an internal network. If a CA is not required to verify the identity of the subject to a relying party, and the relying party instead chooses direct trust of the certificate, then self-signed certificates can be used.
When properly managed, self-signed certificates can be an efficient and less costly way to manage security.
What are the risks of using self-signed certificates?
In general, it is wise to be diligent when using self-signed certificates because of the inherent risk of lack of identity verification and trust control. The public and private keys are both held by the same entity.
Self-signed certificates cannot be revoked. If an attacker has already gained access to a system, the attacker can spoof the identity of the subject. CAs can revoke a certificate when they discover the compromise. Self-signed certificates cannot be revoked. They can only be replaced.
Who should be allowed to create self-signed certificates?
Self-signed certificate templates don't require any credentials to create or use. Any user with Create permissions can create a self-signed certificate template. Policy branches that do not have an enforced “certificate authority template” value can be set to use any existing certificate template object.
Trust Protection Foundation administrators who want to control the use of self-signed certificates with users should review user permissions, policy settings, and workflow implementations in their environment. An example might be locking the certificate authority template that certificate objects can use at the policy level.
This topic contains the following sub-topics:
TIP To browse topics in this section, use the menu on the left side of this page.