Self-signed certificates

Use self-signed certificates to test an SSL configuration before you create and install a signed certificate that is provided by a Certificate Authority.

A self-signed certificate contains a public key, information and signature of the certificate owner. It also has an associated private key but it does not verify the origin of the certificate through a third-party Certificate Authority.

After you generate a self-signed certificate on an SSL server application, you must:
  1. Extract it.
  2. Add it to the certificate registry of the SSL client application.

This procedure is equivalent to installing a CA certificate that corresponds to a server certificate. However, you do not include the private key in the file when you extract a self-signed certificate to use as the equivalent of a CA certificate.

Use a key management utility to do the following tasks:
  • Generate a self-signed certificate.
  • Generate a private key.
  • Extract a self-signed certificate.
  • Add a self-signed certificate.

Use of self-signed certificates depends on your security requirements. To obtain the highest level of authentication between critical software components, do not use self-signed certificates or use them selectively. You can authenticate applications that protect server data with signed digital certificates. You can use self-signed certificates to authenticate web browsers or IBM Security Verify Adapters.

If you are using self-signed certificates, you can substitute a self-signed certificate for a certificate and CA certificate pair.