What Is a Self-Signed Certificate?

In plain English

A self-signed certificate is one that nobody vouched for, signed by whoever made it rather than by a trusted authority. The encryption still works, but browsers show a full-page warning because the identity claim has nothing behind it.

The idea

A normal SSL certificate is signed by a certificate authority, an outside organisation your browser already trusts. That signature is what turns a claim into evidence.

A self-signed certificate skips that step. The server operator generates the file and signs it themselves. It says "this is example.com", and the only thing backing that up is the say-so of whoever made it.

Think of it as a homemade ID card. Perfectly real card, perfectly real photo, but you printed it in your kitchen and no authority stands behind it. Nobody is going to accept it as proof of who you are.

The encryption still works

This part surprises people, so it is worth being precise.

A self-signed certificate encrypts the connection exactly as well as a paid one. The TLS maths does not care who signed the file. Traffic is scrambled either way.

What is missing is the identity guarantee, and that gap is not academic. Without a trusted signature, your browser has no way to tell the real server from someone intercepting the connection and presenting their own homemade certificate. You would have an encrypted connection to an attacker, which is worse than useless because it feels safe.

That is why browsers refuse to let it slide.

Why the warning is a whole page

Browsers do not put a small note in the corner for this. They stop you with a full-page interstitial, hide the "continue" option behind an extra click, and use blunt language about the connection not being private.

That is deliberate. The browser genuinely cannot tell the difference between a well-meaning developer who never got a proper certificate and an active attack on your connection. Both look identical from the outside. Faced with that, the browser assumes the worst, and it is right to.

When it is fine, and when it is not

The line is clear.

  • Fine: internal testing, a local development environment, a staging server only you reach, machines on a private network where you already know what you are connecting to.
  • Never right: any public website. Certainly any site taking payments, logins, or personal details.
  • No excuse: certificates are free and automatic now. Every major platform provisions one for you, and on cPanel hosting AutoSSL does it. A public site on a self-signed certificate in 2026 means nobody is looking after it.
  • Not a fix: telling visitors to "just click through the warning". Training people to dismiss security warnings is how they get caught by the real thing later.

If you are a shopper and you see this warning

Simple advice, and please follow it.

Do not click through. Do not enter card details. Close the tab.

You are being told the site cannot prove it is who it says it is. Maybe it is a neglected shop with a broken certificate. Maybe your connection is being intercepted right now. You have no way to tell which, and neither does your browser, and the downside of guessing wrong is your card number in someone else's hands.

A real shop that wants your money can fix this for free in an afternoon. One that has not is not a shop worth risking it on. Worth reading: does HTTPS mean a website is safe, because the reverse is true too. A padlock alone does not make a site trustworthy.

If it is your site

Replace it, today. Almost every host and platform will issue a free certificate automatically, so the usual fix is switching the feature on rather than buying anything.

Once a proper certificate is in place, do the rest in order: certificate first, then force HTTPS, then consider HSTS. If you are not sure what your visitors are seeing right now, run a free check.

Need to fix this on your own site?

We have step by step instructions for every major platform, including the ones that will not let you.

See how to install a real certificate

Related terms

Browse the full glossary →

See where your site stands.

Run a free check and find out which of these your site already passes, in seconds.

Run a free check Browse the fixes