We have a Java EE project on GlassFish that contains a login screen that we want to secure through SSL.
What's the disadvantage of using a self generated certificate instead of one signed from a CA in production? Will it give warnings and a bad experience to the end user?
You can use self-signed certificates for testing and non-commercial environments, such as labs. For security reasons, do not use self-signed certificates in a production environment.
But, using them in a production environment leaves the systems exposed to vulnerabilities and security breaches. Self-signed SSL certificates are not trusted by browsers, because they are generated by your servers, and not validated by trusted CAs, like Cloudflare and Go Daddy.
By having a self-signed certificate you are effectively on your own, without the backing of a trusted certificate authority and application of the latest cryptographic methods necessary to ensure proper authentication and encryption of data, devices, and applications.
Organizations may ban the use of self-signed certificates for several reasons: It is trivially easy to generate a certificate's key pair without reasonable entropy, to fail protect the private key of the key pair appropriately to its use, to poorly validate the certificate when used, and to misuse a self-signed ...
Yes, a user browsing the login site will get a certificate warning in their browser each time.
If the application will only be used within a closed user group (let's say within a company), then you might mitigate this by adding the self-signed certificate to each user's set of trusted certificates (either in the browser or on the OS level, depends on the particular situation).
But if your application is typically open to the vast public, then it's considered bad practice to use self-signed certificates. You are basically educating your users to ignore and accept the browser warning, which is normally the last line of defense against man-in-the-middle attacks. That's clearly not what you want, so in that case you should always use a "real" certificate, even if it's a staging/test deployment only.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With