Certificates: Signed (CA) and Self-signed
This article will briefly explain and differentiate Self-signed and CA (signed) certificates.
When you are connecting to a server, your requests and the returned answers are passed from computer to computer. If there is a so-called man in the middle sniffing the traffic - he will be able to see all unencrypted information in plain-text format. In other words, if the information is not encrypted, any computer the information goes through can see your credit card numbers and authentication credentials. The main purpose of CA certificates and self-signed certificates is to keep information traversing the Internet encrypted, unreadable to everyone except for the intended recipient.
If you want to provide a secure connection to your website’s visitors, you will need to install an SSL certificate for your websites. But what if someone copies your website to another server, and installs a certificate as well? The connection will be transmitted securely again, but it could be altered and used for purposes besides your own.
Herein lies the differences between the two certificate types: When your browser makes an https connection with a server with the self-signed certificate, the user will receive a security alert message. This alert message informs the user that the Certificate has not been issued by an organization that the user can trust. This type of message is not suitable for commercial websites.
Here is an example of such a message:
Understandably, such a message can drive away potential clients. Both your site’s reputation and your visitors’ trust are impaired.
So the only purpose left for the self-signed certificate is to encrypt connections for personal or well-known internal website usage. For example, at Hostway, we provision servers with different control panels like Plesk and CPanel which can be used over secure connections with self-signed certificates. They are managed by you; even if you receive a warning message in your browser, you know this is your server. The connection can be used for server management.
Self-signed certificates are also great for testing environments. If you're creating a website that you need to test over an https connection, you don't have to pay for a signed certificate. You just need to tell your testers that their browser may produce warning messages.
This type of certificate is not the right option for e-commerce websites, which usually involve online transactions. In order to avoid the browser warning message, the SSL Certificate must be signed by a Certificate Authority. These Certificate Authorities are third-party entities that verify the identity of an online business, guaranteeing that identity through the issuance of a Digital Certificate.
VeriSign, Thawte, GeoTrust and RapidSSL are such Trusted Certificate Authorities. Hostway offers signed SSL Certificates through its partnership with GeoTrust.
Here is how such a certificate can appear in your browser:
This certificate is a verified certificate issued by a trustworthy certificate authority. A certificate authority tells your customers that this server information has been verified by a trusted source.
Signed certificates put your customers’ minds at ease about doing business with you. They will feel more confident about entering personal information and buying online without fear that their financial information may be stolen.