And what about testing small applications on remote servers like "dev.my-personal-site.com"? I don't want to pay $15 for an SSL certificate and 15 minutes of my time just so I can get my dumb lunch break tetris HTML app running on the machine I SSH into from my tablet.
I am long past confused and heading toward awed, at this point, that it's not a common-sense practice for every web developer to generate a personal self-signed root-CA cert, and install it on all of their machines. It's as basic as having an SSH or PGP key.
Setting up a new box? Put your CA-cert in its trust roots. Then use your CA to generate a server cert for it; plop that in /etc/nginx and wherever else. Now it's secure!
This is exactly the original use-case for X.509 certificate authorities: pairing devices on a private network without having to give each of them a set of of their peers' keys in advance. You have a private network that you run services on? You're a CA.
And really, in the dev-environment case, you actually want client-auth, too, because then you get "clients who don't have a CA-issued client cert can't connect" for free.
In proper X.509, the server auths the client just like the client auths the server—it's really more of an equal-peers "we're both trusted by the CA—the network owner—so we should both trust each-other" kind of thing. The public Internet centralized X.509 model—where the client has a huge list of CAs that the user doesn't even know the contents of, and the server doesn't check anything—is a very strange and non-idiomatic implementation of the premise.
I'm really talking about the kind of developers that hang out here—people who regularly set up their own staging environments, use those "tunnel into my dev box" services, etc. Most of us here certainly know SSH, and probably have used GnuPG at least once. But it's still relatively unlikely, statistically, that you or I have ever touched the openssl(1) command.
Honest question, say you follow this (which is what I did a while ago for my OwnCloud instance) -- is it possible to install your self-signed certificate on iOS? Because that was the problem I ran into, and ended up moving to a "real" certificate, but I would've been happy to remain self-signed given the option.
Yes. Just email the self-signed certificate to yourself, then open it up on the iOS device. You can also create a personal CA and install it the same way, if you plan on connecting to more than one host.
