Is there a difference between a self-signed certificate and one signed by your own CA?

We need to use SSL on our internal network for a few sensitive applications, and I need to know if there is a difference between a self signed certificate and one signed by a Windows Server CA that we setup? Do we need to setup a CA?


In the short term for a single service there isn't much difference.

If you decide you need to setup up more services that use SSL, then you may find that setting up a CA would have been a better choice.

If you setup a CA, you should be able to get your clients to trust the CA and thus any certs it signs. Once they CA is up adding additional services is easy. With lots of self-signed certs a user will have to accept each certificate separately.

Are you saying you have a windows CA? If you already have one, I would use it. If you don't already have one, I would be tempted to use a lightweight system like TinyCA which you could run in a VM or off a Linux on a USB disk.


A certificate may contain information about which uses it is authorized for, such as whether it's allowed to be used for signing other public key certificates, or whether it's a CA certificate. Some implementations may check for that kind of information and refuse to honor a certificate for certain purposes without the right info

Examples of these extra pieces of information include:

  • The "Key Usage" extension (OID 2.5.29.15), which might specify whether or not this certificate is allowed to be used for Key Certificate Signing.
  • The "Basic Constraints" extension (OID 2.5.29.19), which specifies whether or not this is a CA certificate.

If you're creating your own self-signed cert, and you want to use it as a CA cert, and you want to increase your chances of having it accepted by whatever software you'll be using it with, you should probably make sure it contains properly-configured values for those two extensions I mentioned above.

If you omit those two extensions, many implementations might still honor it as a CA cert, but some implementations might not.