Is it a good idea to use cacert SSL certificates instead of self signed one in production?

Solution 1:

I would advise that while there's nothing wrong with using free certs, like from CACert, you probably won't gain anything from doing so either.

Since they're not default trusted by anything, you'll still need to install/deploy the root certificate to all your clients, which is the same situation you'd be in with self-signed certs or certs issued by an internal CA.

The solution I prefer (and use) is an internal Certificate Authority and a mass deployment of its root certificate to all domain machines. Having control over the certificate authority you use makes certificate management a lot easier than even through a portal site. With your own CA, you can generally script up a certificate request and corresponding certificate issue so that all your servers, sites, and anything needing a certificate can get it automatically and be trusted by your clients almost immediately after being put into your environment, with no effort or manual tasks by IT.

Of course, if you not up to the task of setting up and automating your own CA, then using an external free one like the one you mentioned could make your life a little easier, only having to deploy one external root certificate... but you should probably try to do it right the first time, and set up an internal CA for your domain.

Solution 2:

I would suggest free SSL Certificates from StartSSL, which are recognized by modern browsers too. I've got nothing against CACert except that it doesn't take anything but an account to issue certificates, and those certs are not recognized by anyone unless you manually install the root cert.

_{Obligatory disclaimer as this is a product recommendation: I'm not affiliated with StartSSL in any way. Just a happy customer.}