Self-Signed Certificates: When They Are and Are Not Appropriate
Learn what self-signed certificates are, why browsers do not trust them by default, and when to use a publicly trusted SSL certificate instead.
Introduction
A self-signed certificate is an SSL/TLS certificate that is signed by its own creator instead of a publicly trusted certificate authority. It can still enable encryption, but browsers and operating systems usually do not trust it by default.
Self-signed certificates can be useful for local development, testing, internal systems and private infrastructure where trust is controlled. They are not appropriate for public websites, customer portals, payment pages or any service where visitors expect normal browser trust.
Quick answer
A self-signed certificate can encrypt traffic, but it is not trusted by public browsers unless the user or organization manually trusts it. Use self-signed certificates only for controlled internal or testing environments. Public websites should use certificates from trusted certificate authorities.
Self-signed certificates
A self-signed certificate is a certificate signed by the same entity that created it. It is not issued by a public certificate authority such as Let’s Encrypt, DigiCert, Sectigo, GlobalSign or Google Trust Services.
Because public browsers do not automatically trust the signer, visitors usually see a warning such as:
- Your connection is not private
- This certificate is not trusted
- NET::ERR_CERT_AUTHORITY_INVALID
- Security risk ahead
The problem is not always encryption. The problem is trust.
Self-signed vs trusted
Self-signed certificate
- Issued by: Your own system or organization.
- Trusted by browsers: No, not by default.
- Best for: Local testing, private labs, internal tools and controlled environments.
- Main risk: Users see warnings unless trust is manually configured.
Publicly trusted certificate
- Issued by: A trusted certificate authority.
- Trusted by browsers: Yes, if valid and correctly installed.
- Best for: Public websites, customer portals, APIs and production services.
- Main risk: Must be renewed and installed correctly.
Acceptable use cases
Local development
Useful for testing HTTPS on a developer machine.
Private lab
Useful for isolated test environments.
Internal systems
Acceptable when all devices are controlled and trust is managed centrally.
Temporary testing
Useful for short-term testing before a real certificate is issued.
Private services
May be acceptable for VPN-only or internal-only tools.
Even internally, self-signed certificates should be documented and managed properly.
When not to use them
Public websites
Visitors will see browser warnings and may leave.
E-commerce
Payment and checkout pages need trusted HTTPS.
Customer portals
Users should not be trained to bypass certificate warnings.
Production APIs
Clients may reject untrusted certificates.
Login pages
Untrusted certificates reduce confidence and create security risk.
Email or hosting control panels
Public-facing admin tools should use trusted certificates.
Never ask normal users or customers to ignore certificate warnings on a public service.
Browser warnings
Browsers warn users because they cannot verify who created the certificate. With a publicly trusted certificate, the browser can follow a trust chain back to a trusted root certificate authority. With a self-signed certificate, that trust chain is missing.
A self-signed certificate may still encrypt traffic, but encryption without trusted identity is not enough for public websites.
Why this matters
This matters because certificate warnings damage trust immediately. A visitor may assume the website is fake, unsafe, abandoned or compromised. For public websites, a self-signed certificate is usually worse than no professional SSL setup because it teaches users to ignore security warnings.
For internal systems, self-signed certificates can be acceptable only when the organization controls the devices and trust settings.
How to check trust
Use SSL Checker to inspect the issuer, trust status and certificate chain.
When checking a self-signed certificate, review
These six checks help decide whether the certificate is appropriate.
Issuer
Check whether the certificate is issued by itself or an unknown authority.
Trust status
Confirm whether browsers trust the certificate.
Certificate chain
Check whether the certificate links to a trusted root.
Hostname match
Confirm the certificate still covers the correct hostname.
Expiry date
Check whether the certificate is expired.
Environment
Decide whether the service is public, internal, testing or local.
Check certificate trust
Use SSL Checker to verify whether your certificate is trusted by public browsers.
Common problems
Public website uses self-signed certificate
HighVisitors will see browser warnings because the certificate is not publicly trusted.
Next step: Install a certificate from a trusted certificate authority.
Users are told to ignore warnings
HighTraining users to bypass certificate warnings creates bad security habits.
Next step: Fix certificate trust instead of asking users to continue.
Internal certificate not deployed to devices
MediumThe organization uses an internal CA, but devices do not trust it.
Next step: Deploy the internal root CA through managed device policies.
Self-signed certificate expired
MediumEven self-signed certificates have expiry dates.
Next step: Renew or replace the certificate and update the service.
Hostname mismatch
HighThe certificate does not cover the hostname being used.
Next step: Create a certificate for the correct hostname or use a trusted public certificate.
Production API rejects certificate
HighClients may refuse connections to untrusted certificates.
Next step: Use a publicly trusted certificate or configure private trust correctly.
Self-signed certificate used as a permanent shortcut
MediumTemporary test certificates often remain in production by mistake.
Next step: Replace with a managed certificate process and renewal plan.
How to replace them
-
Step 1: Identify where the certificate is used
Check whether it is on a website, control panel, API, mail service, internal app, CDN or proxy.
-
Step 2: Decide if the service is public or private
Public services should use publicly trusted certificates. Private services may use internal trust if managed properly.
-
Step 3: Choose a trusted certificate option
Use Let’s Encrypt, hosting AutoSSL, CDN SSL, commercial CA or internal CA depending on the use case.
-
Step 4: Issue the certificate for correct hostnames
Include root domain, www, subdomains or internal hostnames as needed.
-
Step 5: Install the certificate and full chain
Update the web server, proxy, load balancer, CDN or service configuration.
-
Step 6: Reload and test
Reload the service and verify trust externally with SSL Checker.
-
Step 7: Set renewal process
Use automatic renewal where possible.
Internal CA
For organizations, an internal certificate authority is often better than random self-signed certificates.
Internal CA
Centrally managed. Root CA can be deployed to company devices. Certificates can be issued consistently. Better for internal services.
Random self-signed certificate
Trusted nowhere by default. Harder to manage. Easy to forget. Creates repeated warnings.
Internal CA setups still require careful management and should not be used for public websites unless the CA is publicly trusted.
Better alternatives
Let’s Encrypt
Good free option for public websites.
Hosting AutoSSL
Good for shared hosting and cPanel/Plesk environments.
CDN SSL
Useful when HTTPS terminates at Cloudflare, CDN or proxy.
Commercial CA
Useful for business requirements, organization validation or special certificate needs.
Internal CA
Useful for managed private infrastructure.
The best alternative depends on whether the service is public or private.
NET::ERR_CERT_AUTHORITY_INVALID
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -subject
openssl s_client -connect example.com:443 -servername example.com -showcerts
Public website recommendation
Use a trusted CA certificate.
Internal-only recommendation
Use internal CA trust management instead of unmanaged self-signed certificates.
These examples are illustrative. Replace example.com with your real domain or internal hostname.
Frequently asked questions
Is a self-signed certificate encrypted?
Yes, it can encrypt traffic, but browsers do not trust it by default.
Why do browsers warn about self-signed certificates?
Because the certificate is not signed by a trusted certificate authority.
Can I use a self-signed certificate on a public website?
You should not. Public websites should use publicly trusted certificates.
When is self-signed acceptable?
It may be acceptable for local development, testing labs or controlled internal systems.
Is an internal CA better than self-signed certificates?
Usually yes for organizations, because trust can be managed centrally.
Can users manually trust a self-signed certificate?
Yes, but that is not appropriate for normal public visitors or customers.
What should I use instead?
Use Let’s Encrypt, hosting AutoSSL, CDN SSL, a commercial CA or a managed internal CA depending on the use case.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!