What is a Self-Signed Certificate?
A self-signed certificate is a TLS/SSL certificate that is signed by the same entity whose identity it certifies. Unlike certificates signed by Certificate Authorities (CAs), self-signed certificates are not inherently trusted by clients or browsers.
When to Use Self-Signed Certificates
- Development environments
- Internal testing and staging setups
- Internal services in private networks (e.g., Kubernetes clusters)
⚠️ Avoid using self-signed certificates in production for public-facing services unless you manage client trust manually.
How to Generate a Self-Signed Certificate Using OpenSSL
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=my-service.local"
This command creates:
key.pem: private keycert.pem: public self-signed certificate
Using Self-Signed Certificates in Kubernetes
- Create a TLS secret:
kubectl create secret tls my-tls-secret --key key.pem --cert cert.pem
- Mount the secret in a pod or use it with an Ingress controller (like NGINX):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- my-service.local
secretName: my-tls-secret
rules:
- host: my-service.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Trusting Self-Signed Certificates
You must manually trust the certificate on the client side. For example:
curl --cacert cert.pem https://my-service.local
Or import the certificate into the system trust store.
Conclusion
Self-signed certificates offer a simple and cost-free way to encrypt internal communication, especially in Kubernetes clusters or local development. Just remember the trust limitations and avoid using them publicly unless you understand the risks.