Using self-signed X509 certs to secure a production SF Cluster

Question

I'm going down the path of figuring out the details of securing our SF Clusters. I'm finding that the docs note in a number of places not to use self-signed certs for production workloads. But nowhere does it explain why.

Can anyone from the SF team explain why a self-signed X509 cert is not as secure as one issued from a known CA? I thought the only true difference is that self-signed certs do not chain to a certified root authority, which would mean any clients might not see the cert as valid. But with node-to-node security why would this matter?

So what risk am I taking if I use self-sign certs for node-to-node or even client-to-node security of my production SF Clusters?

Answer 1

• For client to node: As anyone can spoof your self signed certificate, you won't be able to assert from the client you're actually talking to the correct server. Also, there's no way to revoke a self signed cert. Finally, end users will see that nasty security warning in the address bar.
• For node to node: same thing applies, but since it's in a vnet behind the load balancer, the risk of tampering is lower.

Encryption of the data itself will work using either type of certificate, but a MITM attack is made easier.