← Back to Blog
explainer

Self-Signed SSL Certificates: When to Use Them and When Not To

A self-signed certificate is one that you sign yourself instead of having a Certificate Authority sign it. It provides the same encryption — the TLS handshake, the encrypted tunnel, all of it — but it carries no third-party identity verification. Because browsers and operating systems only trust certificates from CAs in their pre-installed root store, your self-signed certificate will trigger a "Your connection is not private" warning on every visitor's browser.

🔒

Free SSL Checker

Verify self-signed cert details and see what error browsers will show.

Try It Free →

How to Create a Self-Signed Certificate with OpenSSL

Generating a self-signed certificate takes one command. The example below creates a certificate valid for 365 days covering localhost and a local IP:

# Generate private key and self-signed certificate in one step openssl req -x509 -newkey rsa:2048 -nodes \ -keyout localhost.key \ -out localhost.crt \ -days 365 \ -subj "/CN=localhost" \ -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

Breaking this down:

  • -x509 — Output a self-signed certificate instead of a CSR
  • -newkey rsa:2048 -nodes — Generate a 2048-bit RSA key with no passphrase
  • -days 365 — Certificate validity period
  • -addext "subjectAltName=..." — SANs are required by modern browsers; CN alone is ignored

Use It for Local Development

The most common legitimate use of a self-signed cert is running HTTPS on a local development server. Many modern web features (service workers, camera/microphone access, certain APIs) only work over HTTPS, so http://localhost isn't always sufficient.

For local dev, consider mkcert instead of a raw self-signed cert. It creates a local CA that it installs into your system's trust store, so you get a certificate that your browser actually trusts without warnings — while still being completely isolated from the internet.

# Install mkcert (macOS) brew install mkcert mkcert -install # Installs the local CA # Generate a trusted cert for localhost mkcert localhost 127.0.0.1 ::1

How to Install a Self-Signed Certificate on Apache/Nginx

The configuration is identical to a CA-signed certificate — just point to your self-signed files:

# Apache (inside VirtualHost *:443) SSLCertificateFile /path/to/localhost.crt SSLCertificateKeyFile /path/to/localhost.key # No SSLCertificateChainFile needed for self-signed # Nginx (inside server block) ssl_certificate /path/to/localhost.crt; ssl_certificate_key /path/to/localhost.key;

Trusting a Self-Signed Certificate in Your Browser

For team use on an internal tool, you can distribute your self-signed cert and have team members add it to their OS/browser trust store. On macOS, drag the .crt file into Keychain Access and set it to "Always Trust." On Windows, double-click the cert and install it into "Trusted Root Certification Authorities." On Firefox, go to Settings → Certificates → View Certificates → Import.

Don't ask external users to accept or install your self-signed certificate. If you're asking someone outside your team to bypass the security warning, that's a sign you need a proper CA-signed certificate instead. Let's Encrypt is free and automates renewal — there's no reason to use a self-signed cert on any public server.

Self-Signed vs Let's Encrypt: The Decision

For anything accessible from the internet, Let's Encrypt removes every excuse for using a self-signed certificate. It's free, automated, and browsers trust it without any warnings. The only scenario where self-signed is genuinely better is when your server has no domain name (only an IP address), is fully offline, or is on an air-gapped network where CA validation isn't possible.

FAQs

  • Does a self-signed certificate provide real encryption?
    Yes. The encryption algorithm is identical to a CA-signed certificate — AES-256 for the session, RSA or ECC for key exchange. What's missing is identity verification. You know the connection is encrypted, but you can't prove to visitors that the server belongs to who it claims to be.
  • Will Google penalize my site for using a self-signed certificate?
    Visitors will see a security warning and most will leave before your page even loads. That's a practical penalty worse than any algorithmic one. Use a CA-signed certificate for any public site.
  • How long should I make my self-signed certificate valid?
    For local development, 1–2 years is convenient. For internal tools, follow the same 398-day practice as public certificates — shorter validity periods reduce the damage if a private key is ever compromised.

Ready to switch to a trusted certificate?

Generate a proper CSR for a CA-signed certificate — free, takes 2 minutes.