If you are owning a website and you are concerned of website access security, you might be looking for popular https based access, To configure https, you need to have a server certificate. There are means to create certificate. Who will sign your certificate? Will you sign it yourself? Is it safe against hackers who wants to to trap your website users? This article helps in this regard
If you use self signed certificate, What it comes down to is trust. These self-signed certificates are not verified by a trusted third party. When you use a self-signed certificate, you are saying to your customers "trust me - I am who I say I am." Some hacker can also do the same.
Anyone can create a self-signed certificate, and you can put whatever meta-data you want into it. So, two self-signed certificates can look and behave identically, the only thing that differentiates them is the key pair used to sign it.
Self-signed certificates are great for testing servers. If you're creating a website that you need to test over an https connection, you don't have to pay for a signed certificate for that development site (which is likely to be an internal resource). You just need to tell your testers that their browser may pop warning messages.
If you're doing ecommerce, you need a signed certificate.
If you are doing financial transaction, you need a signed certificate
You may be tempted to use self-signed certificates for situations that require privacy, but people might not be as concerned about.Example will be forms for username/password, exchanging personal info. Beware that even with self signed certificate, a hacker can create resembling website to collect such info.
Browsers throws notification when it sees self signed certificate. You can use https://self-signed.badssl.com/ for experimenting it.
To handle this case, curl asks to mention the server certificate as -cacerts option. There is another insecure option using -k (--insecure), but it should not be used (since it compromise data integrity)
Accessing self signed website using curl
[root@ubuntu ~/temp]# openssl s_client -showcerts -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | tee cacert.pem
depth=0 C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com
i:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIJAIb7Tcjl3Q8YMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
NjA4MDgyMTE3MDVaFw0xODA4MDgyMTE3MDVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
hvcNAQELBQADggEBALW4pad52T7VNw2nFMjPH98ZJNAQQgWyr3H2KlZN6IFGsonO
nCC/Do8BPx6BnP3PFwovWMat1VvnRRoC8lw/30eEazWqBRGZWPz6LHTE3DNBJdc8
xz6mh8q9RJX/PAj+YYGNElTu6qj49YT0BEhMF4U+dTQ0G8y3x4WNfiu9pGqyrp8d
AzeidMfQ/pU01PpoPTDLvRDNkmMsABNE1fXBfJxDDGwfq1xY1j23Fm6BolwZC2y7
n19h+vMYVWbGoovrf2/ibTvtcTyfDop7gl5Yy3OncZxokFj21rUZpLgx9ea4a9z3
FzEz5ufynq03RhHTE1eu+gDzMEF0GNhGGsKqeA4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com
issuer=/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com
---
No client certificate CA names sent
---
SSL handshake has read 1604 bytes and written 452 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BD9E1559D1D22F8A749A7ABD6F54148192046F766B5AE55656BD0A43B7978A2A
Session-ID-ctx:
Master-Key: AB875A2497EEECB16127609D131C08A27DE73CEFEB2A902AF430FB36816AA6A2EBBD6156A565F29D93E12BED2EAAE356
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 05 a3 91 90 f8 de 67 78-c3 7f 5b 83 24 31 25 01 ......gx..[.$1%.
0010 - 96 3b fb 3c 23 a7 c9 00-53 30 a2 f8 9d 2f dc 2d .;.<#...S0.../.-
0020 - ad 2b a6 10 90 26 79 40-65 77 5e 4f a8 63 0d 89 .+...&y@ew^O.c..
0030 - 56 e7 42 4b 29 88 6f a8-04 5c 11 6b 24 5d fa 2f V.BK).o..\.k$]./
0040 - 83 32 8d 80 9a 62 f6 1d-b8 72 0a 71 9d 9c e0 d1 .2...b...r.q....
0050 - a8 ec 3e c0 28 61 51 88-33 81 ae 1d 29 23 16 61 ..>.(aQ.3...)#.a
0060 - 1e aa 6a f4 d2 82 51 6c-eb ec 4b fb eb 53 a0 87 ..j...Ql..K..S..
0070 - d2 0c 6d 38 25 36 a2 1f-08 6b fa 83 80 2e 0f 33 ..m8%6...k.....3
0080 - 40 f1 69 4c e4 69 84 9b-39 10 1d ff 5a f6 08 cb @.iL.i..9...Z...
0090 - 2c 5b 91 65 00 85 a1 e7-e0 31 ad b6 99 64 0d 64 ,[.e.....1...d.d
00a0 - b9 e4 2e ff f3 1a 40 64-ac 1a 81 4c 20 60 1b b8 ......@d...L `..
00b0 - bd 6c 7f 1a 1f 49 65 b5-22 86 7e 30 e5 d2 ae 88 .l...Ie.".~0....
00c0 - af b9 b5 cb 79 1f 44 51-da e2 7d ec 1c 89 08 90 ....y.DQ..}.....
Start Time: 1506670928
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
[root@ubuntu ~/temp]# curl -v --cacert cacert.pem https://self-signed.badssl.com
* Rebuilt URL to: https://self-signed.badssl.com/
* Hostname was NOT found in DNS cache
* Trying 104.154.89.105...
* Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
* start date: 2016-08-08 21:17:05 GMT
* expire date: 2018-08-08 21:17:05 GMT
* subjectAltName: self-signed.badssl.com matched
* issuer: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: self-signed.badssl.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server nginx/1.10.3 (Ubuntu) is not blacklisted
< Server: nginx/1.10.3 (Ubuntu)
< Date: Thu, 28 Sep 2017 23:32:24 GMT
< Content-Type: text/html
< Content-Length: 477
< Last-Modified: Thu, 07 Sep 2017 18:18:21 GMT
< Connection: keep-alive
< ETag: "59b18d6d-1dd"
< Cache-Control: no-store
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>self-signed.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
self-signed.<br>badssl.com
</h1>
</div>
</body>
</html>
* Connection #0 to host self-signed.badssl.com left intact
https://www.thoughtco.com/signed-vs-self-signed-certificates-3469534
https://badssl.com/
https://stackoverflow.com/questions/27611193/curl-ssl-with-self-signed-certificate
https://security.stackexchange.com/questions/13325/is-a-self-signed-certificate-sufficient-to-prove-the-integrity-of-my-executable
https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.security_523.doc/SI_certificates_benefits.html