Is it a bad practice to use self-signed SSL certificates?

As RandomBen said, self-signed certificates are generally frowned upon for the reasons he explained. But there is one situation in which they are fine: if the set of people who need to submit sensitive data to your website is small and limited, they are all somewhat technically competent, and you are able to communicate with all of them. In that case you can give each person the certificate details, then they can manually check the certificate when they go to your site and add a security exception if appropriate.

As an extreme example, on my personal VPS I have an administrative subdomain, which should only ever be accessed by me. There would be no problem securing that domain with a self-signed cert because I can manually check that the server certificate being used to secure the connection is the same one I installed on the server.

In cases where a self-signed cert won't work or you'd rather have a "real" one, I recommend Let's Encrypt, a project started by the Internet Security Research Group and supported by major internet companies, which offers SSL certificates at no cost. They can do this because the verification process they use is completely automated, and in fact a web server which supports their ACME protocol (like Caddy, which I currently use) can obtain certificates entirely on its own. Let's Encrypt does not verify that you, as a person, are who you say you are; it only verifies that your web server is capable of serving content on the domain it claims to. Let's Encrypt is supported by all major browsers, but it's well known that the verification is minimal, so if you are running something like an e-commerce site or anything where people will be submitting sensitive information, you should probably spend the money to get a certificate with a higher level of validation.

I used to recommend the free StartSSL certificates from StartCom for people who didn't want to pay for validation, but not anymore. StartCom was secretly acquired by WoSign in 2016 and subsequently issued illegitimate certificates for several domains. As a result, the major browsers removed their support for StartCom certificates. (As far as I know, IE never supported them anyway.) In any case, Let's Encrypt is far more convenient.


In general it is bad to use a self signed cert. If you do that then you are running the risk people will leave your site when they get a warning about your cert being bad. More important, you are running a larger risk of having someone do an injection attack where they use their own self-signed cert in the place of yours and the visitor will not know any better.

Check out the article here, http://www.sslshopper.com/article-when-are-self-signed-certificates-acceptable.html for a little more info on it.


It is not bad practice to use self-signed certificates. Self-signed certificates have a lot of practical purposes for which it simply doesn't make sense to use a CA-signed certificate.

For example, on many of my servers, I have passwordless login set up. These are servers that I connect to so frequently, and sometimes keep multiple SSH connections open to, that it's a hassle to type in my username and password every single time.

Instead, I use a self-signed SSL certificate that I generate on each of my client machines (a workstation at the office, a laptop, and my home workstation). This sort of setup allows me to use fairly long, secure, and completely unique passphrases for each of my servers without affecting productivity. And because I have direct access to the servers where I can install the public key for each certificate, there's no point in me using a CA-signed certificate.

I could set up my own root CA with which I can sign all of the internal-use certificates for our company, and this way I would only need to install a single public key on each server. However, our organization hasn't grown to the size that really necessitates this, and for the purposes of secure HTTP, this would still be the same as having a self-signed certificate.

Likewise, self-signed certificates are frequently used for email connections, PGP signature, and server-to-server connections where it's trivial to pre-exchange public keys. In many of these cases, this is actually more secure than relying on a certificate chain which could be compromised at any point in the chain.