SSL Self-Signed Certificate

What This Check Does

The SSL Self-Signed Certificate check detects when your domain is serving a certificate that was signed by its own private key rather than by a trusted Certificate Authority (CA). DNS Spy inspects the certificate chain and checks whether the issuer and subject are the same entity — the defining characteristic of a self-signed certificate.

Why It Matters

Self-signed certificates are not trusted by any browser or operating system by default because they haven't been validated by a recognized third party. When a visitor reaches your site and their browser encounters a self-signed certificate, they receive a prominent security warning — "Your connection is not private" — that most users interpret as a sign the site is dangerous or compromised.

While self-signed certificates are appropriate for internal development or test environments, they have no place on production-facing domains. Free certificate authorities like Let's Encrypt make it trivial to obtain a trusted certificate at no cost, eliminating any justification for using self-signed certificates in production.

Good vs. Bad Configuration

Bad Configuration

example.com is serving a certificate where the issuer is "example.com" itself. Browsers display a certificate error, and visitors must manually accept a security exception to proceed — most won't.

Good Configuration

example.com serves a certificate issued by a trusted CA such as Let's Encrypt, DigiCert, or Sectigo. The certificate chain traces back to a root CA that is included in operating system and browser trust stores.

How DNS Spy Monitors This

DNS Spy checks the certificate issuer during each monitoring cycle. If the certificate is self-signed, an alert is raised. Replacing the self-signed certificate with one issued by a trusted CA will cause DNS Spy to detect the change and automatically resolve the alert on the next check cycle.