Is self sign SSL safe or not?

There are two types of SSL certificates on basis on issuance type.

• Self signed SSL certificates

Self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.

• CA issued SSL certificates

A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not similarly made available publicly, but kept secret by the end user who generated the key pair. The SSL certificate is also an attestation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so.

A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not similarly made available publicly, but kept secret by the end user who generated the key pair. The certificate is also an attestation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs uses a variety of standards and tests to do so.

It the user trusts the CA and can verify the CA's signature, then he can also verify that a certain public key does indeed belong to whomever is identified in the certificate.

Now let’s talk about Self Signed SSL Certificate. Self signed SSL is created by individual to install on intranet / internet website. If your website is installed with self signed SSL certificate and any one browse website on secure channel HTTPS:// then he/she will get error (Error: Security Failed. Invalid Certificate Found).

What this error means? (Error: Security Failed. Invalid Certificate Found).

Well you have installed self signed SSL certificate so it is trusted by your own server/pc only. SSL certificates are always authenticated by Root CA certificates. Self signed SSL does not have Global Root CA certificate as it is created on your in-house server and user PC is not installed with that Root CA certificate. So whenever anyone will browse your website on secure channel HTTPS://, SSL certificate installed on website will not be authenticated as a trusted SSL certificate and there will be SSL certificate Security error. Visitor will see error and will jump out from your website as he/she feels unsecure providing confidential details like Credit Card Number, Security Code, User name, Password, etc.

If you want to work Self signed SSL certificate then you need to install Root SSL Certificate central CA on each user PC. If you are on intranet and you have to install it in few PCs then it is possible. What about PC on internet? How can you install on website visitor PC, before he visit your website? This is not possible at all as you can not guess who will visit your website and what time he will visit your website?

For example read this.

In a web of trust certificate scheme there is no central CA, and so identity certificates for each user can be self-signed. In this case, however, it is additional signatures from other users which are evaluated to determine whether a certificate should be accepted as correct. So, if users A, B, and C have signed Mary’s certificate, user E may decide to trust that the public key in the certificate is Mary's (all these worthies having agreed by their signatures on that claim). But, if only user A has signed, E might (based on his knowledge of A) decide to take additional steps in evaluating Alice's certificate. On the other hand, C's signature alone on the certificate may by itself be enough for E to trust that he has Alice's public key (C being known to E to be a reliably careful and trustworthy person).

There is of course, a potentially difficult regression here, as how can E know that A, B, Ted, or C have signed any certificate at all unless he knows their public keys (which of course came to him in some sort of certificate)? In the case of a small group of users who know one another in advance and can meet in person (e.g., a family), users can sign one another's certificates when they meet as a group, but this solution does not scale to larger settings. This problem is solved by fiat in X.509 PKI schemes as one believes (i.e., trusts) the root certificate by definition. The problem of trusting certificates is real in both approaches, but less easily lost track of by users in a Web of Trust scheme.

Credit: http://en.wikipedia.org/wiki/Self-signed_certificate