It seems that one can obtain a valid SSL server certificate here at no cost.
I will want to remember that for my next web site. I always found it a bit silly to not support SSL/https on a web site given that Apache has SSL support built-in. But it is a bit of a showstopper that encryption is tied in with certification of identity of the web server, causing the need for buying an expensive certificate (and having all the hassle of ordering it), or alternatively have the users being presented with an obnoxious warning about “invalid certificate”.
How come I cannot just create my own SSL key for the purpose of encrypting securely the communications of my users? For this purpose the certificate is certainly perfectly valid, despite the browser’s claim of the opposite. The self-signed certificate does not provide any additional guarantee about who the web site owner is, but that is usually of less concern. So why cannot we have these two issues being separate?
Or put it another way, how come that a self-signed certificate is considered invalid, but no certificate (using plain unencrypted http) is perfectly ok and not flagged by any warning?