A self-signed certificate is signed with the gateway's own private key. Self-signed certificates are not secure, but they can be used to test applications that require certificates before a signed certificate is available for use. A self-signed certificate uses its own certificate request as a signature rather than the signature of a CA.
There are ten common fields in which six are mandatory and four are optional in creating a self-signed certificate through PKI. The serial number, certificate signature algorithm identifier, certificate issuer name, certificate validity period, public key, and the subject name are the mandatory fields. The optional fields are the version number, two unique identifiers, and the extension. These optional fields appear only in version 2 and 3 certificates.
The mandatory Validity field indicates the dates on which the certificate becomes valid and the date on which the certificate expires. The default value for expiration date provided in the NSS certutils is three months. However, the validity data in a certificate become unreliable before the expiration date arrives. The X.509 CRL mechanism provides a status update for the certificates they have issued and to take care about the certificate expiration dates. Also, CA enforces certificate expiration to one or two years.
When a certificate is expired or its validity date is over, it needs to be renewed. Renewal is an act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate. You can validate a certificate using the command:
-V -n certname -b validity-time -u certusage [-e] [-l] [-d certdir]
The following example shows how to use the command to validate a certificate:
certutil -V -n email@example.com -b 9803201212Z -u SR -e -l -d certdir.
The Certificate Database Tool shows results similar to the following:
Certificate:'firstname.lastname@example.org' is valid.
UID=jsmith, Eemail@example.com, CN=John Smith, O=Netscape Communications Corp., C=US : Expired certificate
UID=jsmith, Efirstname.lastname@example.org, CN=John Smith, O=Netscape Communications Corp., C=US : Certificate not approved for this operation