I am pretty new to the web world.
One thing I want to have is secure connection, when I log into my webmail, phpmyadmin etc.
Therefore I signed my own ssl certificates with openssl and told apache to listen on 443.
Now I was wondering if this in fact is secure? Are all my passwords really sent through a safe and secure layer? What difference does it make, if a buy a ssl certificate from verisign or sign my own one? At the end of the day, all data will be on my server anyway. So what is the big difference?
Thanks for clarifying!
This is all about trust. If you get a signed certificate from verisign you prove to random clients that your certificate is trusted. If you self-sign the certificate people not having your certificate installed on their computer cannot be sure that they aren’t being attacked by an Man-in-the-middle attack.
If your webserver is just used by you, then you do not need a real CA (such as verisign) to sign your certificate. Just install the certificate on the machines that you want to use and you’re good to go.
Edit: So to answer your question: Yes everything is encrypted and you can be sure no-one can read your sensitive data if you know that the certificate presented to the web browser is in fact the one you have setup the web server with.
Check more discussion of this question.