Self-Signed SSL Certs in “internal” Production (not publicly exposed)

If you have a security team, ask them.

It can be reasonable to use self-signed certificates in production, in fact,

some multi-node systems — Chef server and Chef clients is one random example —

generate and use self-signed certificates per installation by default.

Self-signed certificates are also not unheard of in peer-to-peer systems.

Primary downside of self-signed certificates that I see (I’m by no means a security expert) is that

you will have to manage trusted CA certificates, whereas with a well-known commercial CA

their certificates might already be bundled with your OS or easy to install as an optional package

(with apt, yum, etc). That introduces operational overhead and security risks.

If I was deciding whether that is worth doing, I’d ask my team about what features

of TLS we are after: encryption? authentication? integrity? A certain combination of those?

How sensitive is the data that will be transferred over this installation? Do we have any in house

experience with self-signed certificate management? And so on.

But I certainly see that self-signed CA certificates can be worth using in production in some cases.

It’s just our docs try to recommend a safer side.