Best Practices 10-28-2015

The True Cost of Self-Signed SSL Certificates

Sara Drury

While many companies make online security a priority in their business, there are just as many companies who risk securing their website with self-signed SSL Certificates. Because self-signed SSL Certificates are free, this option tempts both novice and veteran companies alike. However, self-signed SSL certificates are risky because they lack validation from a third party. So while your company can save money, there are several consequences of self-signed SSL Certificates that businesses should be aware of.

A Question of Trust

As previously stated, self-signed SSL Certificates are not validated by a third-party (i.e., a trusted certificate authority (CA)). Therefore, because the company has provided self-validation, consumers have two options: to trust these certificates by trusting that a company is in fact who they say they are, or to conduct their business elsewhere for higher assurance security.

Third-party validation is not something a company can hide from. Upon visiting a self-signed website, browser warnings prompt users to abort browsing the page for security reasons.

Some inexperienced users might mindlessly ignore these warnings and click past them. Unfortunately, these warnings potentially set companies up for two losses:

Brand reputation: Your company was not willing to secure your site using a CA, therefore putting your company’s identity at risk and negatively effecting brand reputation.

Customer trust:
Self-signed certificates are easy to mimic. An attacker could use this against a company to fool victims and steal their personal data, therefore putting your customers’ identities at risk.

Risks of Self-Signed SSL Certificates

Using a self-signed SSL Certificate can save money at the beginning, but the risks should urge companies to think twice. Here are a few precautions to consider:

  • Creating a self-signed SSL Certificate takes just as much time as it does to buy one, and many times it takes longer to do it properly. Third-party validation will ensure total security of your company whereas the smallest mistakes in the creation of your own self-signed SSL Certificates are backdoors for hackers to breach your company’s security.
  • A trusted CA, like DigiCert, provides tools to help you monitor your certificates and will notify you upon certificate expiration. On the contrary, self-signed certificates require self-management; they usually expire after one year whereas validated SSL Certificates can have a validity period up to three years.
  • Using a self-signed SSL Certificate makes monitoring activity extremely difficult and requires vigilant organization. It becomes tricky when an enterprise has multiple certificates, thousands in some cases, most of which are organized in a spreadsheet.
  • Revoking a certificate becomes very difficult as well. A CA can easily revoke a certificate, but a self-signed certificate that has been compromised must be replaced or rotated, but may not be nullified.

A company should be educated on these risks in order to build consumer trust and avoid security breaches or attacks that could have been easily prevented.

The Security of Your Business Depends on the Security of Your Consumers

Large organizations are a constant target for advanced attackers, making security a constant priority. Statistics show that of the 80% of U.S. consumers who shop online, 71% of them rely on online stores to protect their credentials. Thus, the responsibility ultimately falls on the organization to ensure the best security protection for their customers. By securing the privacy of your customers, you will secure the life of your business.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


Unlocking Device Trust Manager

A Q&A with DigiCert Director of Product Management Kevin Hilscher

6 reasons signed SBOMs are essential to software security