Comparing CA-signed and Self-signed certificates

Certificate authority signed certificates

Self-signed certificates

Certificate authorities such as VeriSign require a procedure whereby applicants can prove their identities and obtain certificates that authenticate both the identity of the certificate applicants and its own identity as a signer of a certificate.

Typically there is a local certification authority (CA), that is, the certificates do not come from any of the well known CAs like VeriSign, and so on. The local CA itself should have a root certificate issued by a well-known CA, but even this is not always true. If the local CA's root certificate is self-signed, you must import it into the truststore of each server or client that is using SSL.

In this case, each server for an SSL connection, and each client doing PKI authentication, generates its own self-signed certificate. It is then necessary to export the certificate to a file and to import it into various truststores. If a client C connects to a server S, C must have S's self-signed certificate in its truststore. If a client C does PKI authentication (symmetric SSL) to a server S, S must have C's self-signed certificate in its truststore. Note: Self-signed certificates can be used for either a client or a server certificate. See the Manage keys, certificates and keystores on information how to do this. Each server for an SSL connection and each client doing PKI authentication must then issue a request for a certificate to the local CA, and must add the resulting certificate into its keystore.