Self-Signed SSL Certificate — What It Is and How to Replace It

Updated May 2026 · SSL / TLS · 5 min read

Table of Contents

What a self-signed certificate is
What visitors see
Replace it with a free Let’s Encrypt certificate
Monitor so this never recurs

A self-signed SSL certificate triggers a full-page browser warning that scares away almost every visitor. The fix takes about ten minutes and is free.

What a self-signed certificate is

An SSL certificate proves your domain is who it claims to be. Browsers only trust certificates signed by a recognized Certificate Authority (CA) such as Let’s Encrypt, DigiCert, or Sectigo. A self-signed certificate is one you generated yourself and signed with your own key — there’s no chain of trust back to a CA, so browsers refuse to consider it valid.

You’ll typically see a self-signed cert when a developer set up the server for testing and forgot to switch to a real cert before going live, or when a default appliance certificate was never replaced.

What visitors see

Chrome: “Your connection is not private” with NET::ERR_CERT_AUTHORITY_INVALID.
Safari: “This Connection Is Not Private” requiring an explicit override.
Firefox: “Warning: Potential Security Risk Ahead” blocking the page.
API clients: TLS verification fails by default, breaking any integration that doesn’t explicitly skip cert validation.

Replace it with a free Let’s Encrypt certificate

SSH into your server. If you’re on shared hosting, use your control panel’s “SSL/TLS” section instead.
Install certbot: sudo apt install certbot python3-certbot-nginx (or the Apache plugin if you run Apache).
Run sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com. Certbot fetches a real certificate, installs it, and configures HTTPS redirect.
Confirm with a private browser window — the lock icon should appear with no warning.
Verify auto-renewal: sudo certbot renew --dry-run. Certbot installs a systemd timer that renews every 60 days.

On a managed host (Vercel, Netlify, Cloudflare Pages, Squarespace, Shopify), HTTPS is automatic — you don’t need certbot. Just point the DNS record at the platform and SSL provisions itself in under a minute.

Monitor so this never recurs

Even with a real certificate, a misconfigured renewal can put you back in self-signed territory (some servers fall back to a snake-oil cert). Add the domain to GuardHound and you’ll get an alert the moment the certificate goes self-signed, expires, or becomes unreachable — no manual checking required.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Is a self-signed certificate ever OK?

For internal-only services on a private network where you control every client, yes — but you must explicitly trust the certificate on each client. For anything public or anything an end user reaches over the internet, never.

Will switching to Let’s Encrypt cost me anything?

No. Let’s Encrypt issues domain-validated certificates for free, and the renewal cron is included with certbot. The cert is exactly as cryptographically strong as a $400/year commercial cert.

How long does it take to replace?

On a typical Linux server with certbot, under five minutes from running the command to seeing the green padlock. On managed hosts, it’s usually instant.