For a self-signed certificate, the certificate’s private key is used to sign its own certificate. This type of signature is not recommended to secure a server because trust cannot be verified.

A self-signed certificate provides only data encryption.

If your network is self-contained, you can serve as your own Certificate Authority (CA).

When a company serves as its own CA, a certificate signed by the private key associated with one of its CA certificates (the root certificate) must be installed in the client browser, and imported into the client platform/station’s Trust Store.

If your network is exposed to the internet, a third-party CA provides the most secure communication, however at a cost.

Third-party companies that provide certificate signing services include VeriSign® and Thawte. Certificates that contain only a public key and are signed by the third party are distributed with a user’s browser. NiagaraAX Workbench comes with a number of these certificates. No separate step is required to install them, but you must trust that the browser installation was secure. See Install certificates in a client browser).

You have your server certificates signed by creating a Certificate Signing Request (CSR) that contains your subject (Distinguished Name) and your public key. The process of generating a CSR also creates the private key, which must be kept secure. You send the CSR to the Certificate Authority.

Do not send your private key to the CA and do not distribute it via email.

When the CA receives the CSR file, it extracts certain information from the CSR, verifies your identity, creates a new certificate with itself as the Issuer and signs the certificate with its root or an intermediate private key. The CA returns to you the signed client certificate(s) (root and intermediate).