Identify Self-Signed Certificates
Learn how to identify self-signed SSL certificates by comparing subject and issuer fields. Understand when self-signed certificates are appropriate and their security implications.
Detailed Explanation
What Is a Self-Signed Certificate?
A self-signed certificate is a certificate where the Subject and Issuer fields are identical — the certificate is signed by its own private key rather than by a Certificate Authority. There is no external party vouching for the certificate's authenticity.
How to Identify a Self-Signed Certificate
When you decode a certificate, compare the Subject and Issuer Distinguished Names:
# Self-signed: Subject == Issuer
Subject: CN=myserver.local, O=My Company
Issuer: CN=myserver.local, O=My Company
# CA-signed: Subject != Issuer
Subject: CN=example.com
Issuer: C=US, O=Let's Encrypt, CN=R3
Additionally, check the Basic Constraints extension. A self-signed root CA certificate will have CA:TRUE, while a self-signed leaf certificate typically has CA:FALSE or omits the extension entirely.
When Self-Signed Certificates Are Appropriate
- Development and testing — local development servers, staging environments
- Internal services — services behind a corporate firewall where you control all clients
- Private CA roots — the root certificate of any CA (even Let's Encrypt) is technically self-signed
- IoT and embedded devices — devices that communicate only within a controlled network
When NOT to Use Self-Signed Certificates
- Public-facing websites — browsers will display security warnings
- APIs consumed by third parties — clients will reject the certificate unless they explicitly trust it
- Email servers — other mail servers will flag messages or refuse to establish TLS
Security Implications
Self-signed certificates provide encryption (the TLS connection is still encrypted) but NOT authentication (there is no trusted third party confirming the server's identity). This means:
- Connections are encrypted in transit
- Man-in-the-middle attacks are possible because clients cannot verify identity
- The certificate must be manually trusted by each client
Creating a Self-Signed Certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=localhost/O=Development"
The -x509 flag tells OpenSSL to produce a self-signed certificate instead of a certificate signing request (CSR).
Trust Store Installation
To use a self-signed certificate without warnings, you must add it to the client's trust store:
- macOS — add to Keychain Access
- Linux — copy to
/usr/local/share/ca-certificates/and runupdate-ca-certificates - Windows — import into the Trusted Root Certification Authorities store
- Browsers — each has its own trust store (Firefox uses its own, Chrome uses the OS store)
Use Case
Identify whether a certificate is self-signed when debugging trust errors in development environments, or when auditing production servers to ensure no self-signed certificates are accidentally deployed.