What's a self-signed certificate?

If you somehow ended up here and aren't sure what a self-signed certificate is, or whether you should create and use one, check out this great description of signed and self-signed certificates. In a nutshell, self-signed certs still provide a secure connection, but since you're acting as your own certificate authority and the browser doesn't trust you (don't take it personally 😜 ), visitors will see a scary message like this:

sscert-warning

If you need a secure connection that's still free but won't popup a scary alert, check out Let's Encrypt. However, if you have a personal project or test environment or something that only a few people (or just you) need to access securely, a self-signed certificate is good enough. It's what I used when I created a secure wiki with DokuWiki for my personal use, because I trust me even if the browser doesn't.

Why's it asking me for all those details?

When you create a self-signed cert, you're prompted for some personal details like your address and email. I'm not sure why this information is requested, since even for a normal certificate it proves nothing, is not verified by the certificate authority, and 99.99999% of users are never going to check for these details. It's probably important if you accept payments and need an extended validation cert, but even those can be dubious... but that's outside my knowledge, so I digress.

selfcert-prompt

Whatever you type in those fields is visible to anyone who views the certificate in their browser, even if most people won't check for it. Even though my publicly accessible site is for personal use only and I'm not going around publicizing the URL, I do have a lot of links in my site, and thanks to the stupid referer header anytime I click one of those links a kitten dies someone else's server is notified that the request came from my site. Some curious admin looking at logs could go back and find details about my site. And send me an email. 🙄

Do I need to provide all those details?

No, not for a self-signed certificate. What you're after is a secure connection and you got it. Now if you're setting this up for a huge corporate intranet you may want to rethink things - even though it's internal, you might not want everyone getting comfortable with clicking through the aforementioned security warning.

Here's how the legit Let's Encrypt certificate for my blog looks in Firefox and Brave, and everything works just fine. The only required piece of data is the "Common Name (CN)" field, which is where you specify your domain name or IP address.

sslcert-myblog

So when you setup your self-signed cert, just enter a . (or maybe a different character? Be sure to read the console output!) to leave everything blank... except the Common Name field.

Restart your system and check out your certificate again. No personally identifiable info anymore!

If you had a different experience - or some point to elaborate, clarify, or just plain fix - please leave a comment below to let me know!