What is a self-signed certificate, and when should you use one?
Quick Answer
A self-signed certificate is signed with its own private key instead of a CA's. It doesn't chain up to any root a browser trusts, so browsers show a warning for it. They are fine for local development, internal testing, or system-to-system links where you manually configure trust — but never for a public production website.
Detailed Answer
Normally, a certificate is signed by a CA's private key. A self-signed certificate skips that step: the certificate's owner signs it with their own private key instead.
Normal certificate: leaf <-- signed by -- CA
Self-signed certificate: leaf <-- signed by -- itself
The math still works — you can verify the signature using the public key inside the same certificate. But that only proves the certificate is internally consistent. It proves nothing about who actually controls the domain, because there is no independent CA vouching for it.
Browsers have no reason to trust a random self-signed certificate, so they show a warning like "Your connection is not private."
Good use cases:
- Local development, for example
https://localhostwhile building an app. - Internal tools, where you manually install the certificate as trusted on every machine that needs it.
- Testing TLS configuration before getting a real certificate.
Never use a self-signed certificate for a public-facing production website — visitors would see security warnings, and it is trivial for an attacker to also self-sign a certificate impersonating your site.