One type of certificate is meant for internal use and the other can be used on external sites — do you know the difference?
Your website is an integral part of your business, and you must not take any risks when it comes to its security. If you’re searching for the best SSL/TLS certificate for your website and have come across the option of a self-signed certificate, you should know everything about it and how it differs from its alternative solution, i.e., a CA-signed certificate.
CA Certificate Vs Certificate
The difference between a CA certificate and a self-signed certificate is the issuer of the certificate. A self-signed certificate is created, signed, and issued by the subject of the certificate (the entity it is issued to), while a CA certificate is created, signed, and issued by a third party called a certificate authority (CA) that is authorized to validate the identity of the applicant. A CA certificate signed by a publicly trusted CA can build trust among the website visitors, and therefore, it is used to validate public websites. A self-signed certificate is used in private networks.
In this article, we’ll help you compare a self-signed certificate vs a CA signed certificate to help you make an informed decision.
Self Signed Certificate vs CA Certificate: What’s the Real Difference?
Let’s explore the various aspects where the self-signed certificate differs from a CA certificate.
Self Signed vs CA: What Each Certificate Entails
Self-signed certificates are created, issued, and signed by the entities whose identities the certificates are meant to verify. This means that the individual developers or the companies who have created and/or own the website or software in question are, essentially, signing off on themselves. Furthermore, self-signed certificates are signed by their own private keys. This is yet another reason why they’re not publicly trusted certificates.
None of that sounds particularly trustworthy from the perspective of a website or app end user, does it? Now, let’s consider a certificate from a third-party CA.
A CA-signed certificate, on the other hand, is signed by a third-party, publicly trusted certificate authority (CA). The popular CAs are Sectigo (formerly Comodo CA), Symantec, DigiCert, Thawte, GeoTrust, GlobalSign, GoDaddy, and Entrust. These entities are responsible for validating the person or organization that requests each certificate.
Self Signed vs CA: The Types of Certificates
Both self-signed certificates and CA-signed certificates include X.509 digital certificates such as SSL/TLS certificates, code signing certificates, email signing certificates, etc. However, the term “self-signed certificates” commonly refers to self-signed SSL/TLS certificates, which are also known as private SSL certificates.
Self Signed vs CA: Visual Indicators of Trust
The identity of the applicant is verified by the publicly trusted CA as per the validation procedures stipulated by the CA/Browser Forum (CA/B Forum). That’s why all of the browsers, email clients, and operating systems show visual indicators of trust for a CA-signed certificate:
- SSL/TLS certificate: A padlock symbol in front of the domain name in the address bar.
- Code signing certificate: The software publisher’s name displays on the security window when a user tries to download it.
- Email signing certificate: This includes the sender’s digital signature with all the outgoing emails when selected.
Why Trust Matters
When using a self-signed certificate, you’re essentially vouching for your own identity. It’s like writing “I have graduated” on a piece of paper and considering it your official graduation certificate. While you might be excellent in your academics, people aren’t going to trust your self-created certificate! They’d want the document to be issued and signed by an official institution such as a college or university.
In much the same way, no browsers, email clients, or operating systems are going trust digital certificates that are signed by the entities they’re designed to validate. Hence, why they don’t show any of the above-mentioned trust indicators for self-signed certificates.
But it gets worse. Not only will browsers not trust a self-signed certificate, but they’ll even display a security warning page with error messages like “error_self_signed_cert” or “sec_error_untrusted_issuer” or “err_cert_authority_invalid” for the website using a self-signed certificate. This means that your website visitors must manually click on the “Accept Risk” button to open your site — and that can drive them away.
Self Signed vs CA: How to Use Each Certificate
Self-signed certificates are suitable for internal (intranet) sites, and sites used in testing environments.
CA certificates, on the other hand, are suitable for all public-facing websites and software. The CA certificate is a must for any website that:
- offers paid subscriptions/membership;
- handles tax information, health records of users, or any other personally identifiable information (PII);
- accepts donations/charity or fundraising online; or
- has an eCommerce facility.
Self Signed vs CA: A Breakdown of Costs
Self-signed certificates are available for free.
A CA certificate can be purchased for as little as $8.78/year. Although it’s not “free,” it’s also not going to break the bank, either.
When people are trying to decide between a self-signed certificate vs a CA certificate, cost is one of the significant points of consideration.
However, with a small investment of less than $10 per year, you can get a CA certificate that’s trusted by all the browsers and operating systems. This means that all of your digital certificates will show the trust indicators and your verified identity to users, and you can avoid those pesky security error messages altogether.
PositiveSSL EV Certificates from $79.84/year!
Get the lowest prices on trusted SSL/TLS certificates from Sectigo brands.
Shop for Sectigo SSL CertificatesRole of CA/B Forum for a Self-Signed Certificate vs CA Certificate
The role of the CA/B Forum is the most crucial point of our whole “self-signed certificate vs CA certificate” discussion.
In public key infrastructure (PKI), the browsers trust a digital certificate only when it is signed by a publicly trusted certificate authority. To gain and retain their trust, the issuing CA must be a member of the CA/B Forum and abide by all of the guidelines stipulated by it. If they break any guideline, even for a single certificate, the browsers have a right to revoke trust from all the certificates that CA issues! If such a thing happens, the consequences for the certificate authority are dire. That’s why all CAs religiously follow all the rules cited by the CA/B Forum.
Self-signed certificates are not directly monitored by the CA/B Forum. That means that there is no penalty for a faulty or mis-issued certificate that’s self-signed. Plus, there are many other loopholes of the self-signed certificates that cybercriminals can easily exploit. For example:
Validity Dates
CA certificates have a maximum of two years of the validity period (although Apple’s Safari browser is now limiting validity to one year and the other browsers are likely to follow suit). In fact, free CA signed SSL certificates provided by some non-profits are valid for only three months!
These validation dates and renewal procedures are strictly regulated and monitored by the CA/B Forum. So even if a user has bought a certificate for, let’s say five years, they have to go through the validation and installation process once again after two years or its expiry date (whichever is earlier).
The self-signed certificates expire, but each expiration is different depending on the system you use to issue it. They don’t really have a specific validity period. The user can make it for one year or 15! Hence, you can’t trust a self-signed certificate’s validity dates.
Revocation
With a CA-issued certificate, the CA has the authority to revoke the certificate immediately if it is misused or the private keys are compromised. You can stop trusting self-signed certificates, but there’s really no mechanism in place to actually revoke them. So, if a self-signed certificate is mis-issued or misused, no one has power to take a disciplinary action against it and revoke it.
Conclusion
If you have a public-facing website, always use a CA signed certificate. If you have an internal site and sites used in testing environments, then you can consider using a self-signed certificate. Just be sure to remember to swap out any self signed certificates for CA certificates before making any sites in the testing environment live!
As you’ve learned, a CA signed certificate isn’t all that expensive either! If you buy it from SectigoStore.com, you will get a CA signed certificates with up to 82% discount on the retail price, which starts at as low as $8.78/year!
Learn About Standard SSL Certificates