Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Self signed certificate in production

Tags:

certificate

https

glassfish

We have a Java EE project on GlassFish that contains a login screen that we want to secure through SSL.

What's the disadvantage of using a self generated certificate instead of one signed from a CA in production? Will it give warnings and a bad experience to the end user?

like image 310
Mira Avatar asked Aug 06 '12 06:08

Mira

People also ask

Can I use self-signed certificate in production?

You can use self-signed certificates for testing and non-commercial environments, such as labs. For security reasons, do not use self-signed certificates in a production environment.

Why not use self-signed certificate in production?

But, using them in a production environment leaves the systems exposed to vulnerabilities and security breaches. Self-signed SSL certificates are not trusted by browsers, because they are generated by your servers, and not validated by trusted CAs, like Cloudflare and Go Daddy.

What does a self-signed certificate do?

By having a self-signed certificate you are effectively on your own, without the backing of a trusted certificate authority and application of the latest cryptographic methods necessary to ensure proper authentication and encryption of data, devices, and applications.

Is a self-signed certificate OK?

Organizations may ban the use of self-signed certificates for several reasons: It is trivially easy to generate a certificate's key pair without reasonable entropy, to fail protect the private key of the key pair appropriately to its use, to poorly validate the certificate when used, and to misuse a self-signed ...

1 Answers

Yes, a user browsing the login site will get a certificate warning in their browser each time.

If the application will only be used within a closed user group (let's say within a company), then you might mitigate this by adding the self-signed certificate to each user's set of trusted certificates (either in the browser or on the OS level, depends on the particular situation).

But if your application is typically open to the vast public, then it's considered bad practice to use self-signed certificates. You are basically educating your users to ignore and accept the browser warning, which is normally the last line of defense against man-in-the-middle attacks. That's clearly not what you want, so in that case you should always use a "real" certificate, even if it's a staging/test deployment only.

like image 133
emboss Avatar answered Sep 19 '22 20:09

emboss
Sign in to Comment

Related questions

What is the best practice for auto switching from HTTP to HTTPS
SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists - How to bound certificate to ipport?
Is there a way to check if the SSL digital certificate is valid without installing on the web server?
Nginx redirect http://www and naked http/https to https://www
GIT - fatal: Could not resolve host: bitbucket.org
How to do HTTPS request from Phoenix and ignore the CA error
what is my openssl and ssl Default CA Certs Path?
How to ensure access to my web service from my code only?
What ports should I node.js listen on? How and why?
Google Apps Script and External API
Node.js - crypto.js - PFX header too long
Add SSL to Node.js Koa Server?
Will it ever be possible to run all web traffic via HTTPS?
Convert HTTP Proxy to HTTPS Proxy in Twisted
HTTPS POST request Python
HTTPS with nodejs and connect
HTTP library for Ruby with HTTPS, SSL Client Certificate and Keep-Alive support?
How to redirect HTTPS requests to HTTP without a certificate (Apache VirtualHosts) and avoid a certificate warning
IIS - 403 Forbidden: Access is denied when accessing a folder published through IIS 7.0
Charles Proxy - Map remote to localhost from https to http

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!