What’s a self-signed certificate?
Well, first things first: This is information that is probably only of interest to a true unadulterated propellerhead. You're probably familiar with the little lock icon that your browser displays when you're on a “secure” connection, right? That little icon is an indication that the information sent between your browser and the remote server is encrypted while it's in transit. It's secure because nobody can intercept the message and view or tamper with it.
The mechanics of creating this encrypted conversation are a bit arcane, but the basics are that the server (on the other side of the Internet from your browser) has an SSL certificate installed. The SSL (SSL stands for “Secure Sockets Layer”) certificate is really two parts. There's a “private key” which is known only to the server, and a “public key” which is sent to your browser. The trick is that any message that's encrypted using the “public key” can only be unencrypted with the “private key”, and vice versa. So by handing you the public key (and mangling it with another key generated on the fly by the browser), there's no way that anybody else can listen in on your conversation.
There's another important aspect to SSL. You want to be sure that nobody can intercept the traffic between you and the server, but you also want some assurance that the server on the other end of the connection really *is* the Land's End corporate web server (or whatever). That's where Certificate Authorities come in. There are a handful of these in the world, and they are the entities that we trust implicitly to tell us that www.landsend.com really does belong to Land's End. The trusted authorities have their own certificates installed in all major browsers, so that when you visit a site that has an SSL key that's signed by one of these authorities, the browser doesn't complain. If the certificate isn't signed by a trusted root authority, then you'll get a pop-up warning that the SSL certificate may not be valid.
That's all well and good, but it means that every time the Certificate Authorities sign a certificate (and vouch for the server's identity), they want some money to cross palms, and they want to do some pretty thorough checks to ensure that you really are who you say you are. The cost of a “full bore” SSL certificate can run into the hundreds of dollars (at my company we sell them for $125).
So what happens if you just want to fiddle around with SSL, or if you're testing a website and need to do so with SSL capabilities, or if the encryption of the traffic is more important than verifying identity? In that case, you can usually create a “self-signed” SSL certificate. It does everything that a regular SSL certificate does, but it's not counter-signed by one of the trusted root authorities. It makes your browser pop up and say “This certificate is not signed by someone you trust…are you sure you want to be here?”
But for personal use or for testing, self-signed certificates are perfectly acceptable.
The challenge is that they're somewhat cumbersome to create — you have to use a suite of encryption tools and know arcane commands, and remember passwords and all of that. More to the point, if you want to create a self-signed certificate to be used in IIS (Microsoft's web server platform), there's hardly any documentation explaining how to do so. That's why I created the tutorial I mentioned in my earlier posting — it explains how to use freely available software to create self-signed certificates that you can use in IIS.
Is your head spinning yet??