I’m writing a simple client and server using Go. I don’t want to pay for an SSL certificate, and I’ve read that self-signed certificates are useless for proving identity since an attacker could just MITM and provide his own self-signed certificate.
However, I’ve learned that I can have my client use whatever root certificates I want. Can I just create my own, have the client trust that, sign a certificate for my server, and connect securely while being protected from MITM attacks? If so, how do I create my own root certificate?
A self-signed certificate is a special case of deploying your own PKI (pushed to the extreme where you only have one certificate in that PKI).
Both can be used to prevent MITM attacks, provided that the client can verify the server certificate using trust anchors (certificates) it knows in advance (and has been configured with them in a trusted manner).
You can create your own CA and configure your client to use its root CA certificate or, if you only have a very limited set of servers, you can usually configure clients to trust a specific certificate directly (self-signed or not).
You may be interested in these questions for links to tools:
Once you’ve understood the basic principles, the technical aspects are not necessarily difficult, but part of the real difficulty is in the administration of your CA.