lammert - 6:21 pm on Dec 20, 2010 (gmt 0)

I think I understand wheel's comment.

Certificates are used for two different things. One is encrypting the data stream to make it impossible to be read by a third party. The other use is to ensure that the website or site-owner is who it/he pretends to be.

In the first situation self-issued certificates work just as good as certificates issued by an authority. In the second situation you need a trusted authority which checks the validity of the submitted website or owner information.

Most certificate errors in browsers come from an authentication matching problem. Either the root authority mentioned in the certificate chain is not recognized by the computer, or the domain the certificate is served from is not in the domain list of the certificate itself. In both cases the authentication of the certificate fails, but the encryption of the data stream is still working.

Many sites only need data stream encryption, not a validation of the website or owner. That is where a self-issued certificate should be allowed.