Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
We have a Java EE project on GlassFish that contains a login screen that we want to secure through SSL.
What’s the disadvantage of using a self generated certificate instead of one signed from a CA in production? Will it give warnings and a bad experience to the end user?
Yes, a user browsing the login site will get a certificate warning in their browser each time.
If the application will only be used within a closed user group (let’s say within a company), then you might mitigate this by adding the self-signed certificate to each user’s set of trusted certificates (either in the browser or on the OS level, depends on the particular situation).
But if your application is typically open to the vast public, then it’s considered bad practice to use self-signed certificates. You are basically educating your users to ignore and accept the browser warning, which is normally the last line of defense against man-in-the-middle attacks. That’s clearly not what you want, so in that case you should always use a “real” certificate, even if it’s a staging/test deployment only.