*** Welcome to piglix ***

Self-signed certificate


In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). Each CA has one or more root keys; and the certificates associated with those public keys are "trust anchors" that use a special type of self-signed certificates. Establishing trust of the CA root certificate is dependent upon procedures beyond checking its digital signature.

In a CA based PKI system, the CA must be trusted by both parties. This is usually accomplished by placing the CA certificates in a whitelist of trusted certificates. For example, web browsers developers may use procedures specified by the CA/Browser Forum, or a private CA's certificate may be placed in the firmware of an embedded system. The trust issues of an entity accepting a new self-signed certificate, is similar to the issues of an entity trusting the addition of a new CA certificate.The parties in a self-signed PKI must establish trust with each other (using procedures outside the PKI), and confirm the accurate transfer of public keys (e.g. compare the hash out of band).

There are many subtle differences between CA signed and self-signed certificates, especially in the amount of trust that can be placed in the security assertions of the certificate. Some CAs can verify the identity of the person to whom they issue a certificate; for example the US military issues their Common Access Cards in person, with multiple forms of other ID. The CA can attest identity values like these by including them in the signed certificate. With a self-signed certificate by contrast, values in the certificate cannot be trusted more than the entity itself. This is because the entity possesses the signing key, and can always generate a new certificate with different values. For example, the validity dates of a self-signed certificate can not be trusted because the entity could always update them to a valid date range. Special treatment of X.509 certificate fields for self-signed certificate can be found in RFC 3280.


...
Wikipedia

...