I'm new to SSL Certificates. I've seen some tutorials about creating personal certificates but I didn't go far reading.
It seems that I can create a personal SSL Certificate and use it on my website, but the question is:
Will it do its job nicely?
Will the connection with my customers will be encrypted?
Is it possible to create a personal SSL Extended Validation certificate on my own, or do I need a certificate authority?
My point is I don't need insurance; I just want to add another layer of protection and safety for my customers. They wont actually buy on my wbesite, but from paypal, but a SSL certtificate would increase their trust to my website. I don't care if some company will take responsibility and appear on my certificate info.
You are free to generate your own SSL certificate. Just be aware that your users will get a big scary warning message saying the certificate can't be verified. This will trouble many users. Some may just leave, or call your support line, both of which can cost you money.
SSL certificates have two purposes:
A self signed certificate only accomplishes the first purpose, unless you have a way for people verify the certificate, like giving them a copy of the public half in person so they can add it to their trusted certificates store.
The verifying part ensures that, for example, I didn't generate a certificate with your website's name, then hijack your customer's DNS or network connection, and direct them to my server. In theory, Verisign/Godaddy/Whoever won't give me a certificate for your website.
For internal sites, or small ones where you can easily get your users to install a certificate, a self signed one works fine. For a public facing site, it's pretty much unacceptable. Even though it enables encryption, it doesn't prove you are who you say you are. And it throws up a BIG SCARY error message. That alone is reason enough to pay the few bucks for a valid trusted certificate.
As for extended validation certificates - there is no way to make your own. The browsers have a very specific list of which root certificates are allowed to have extended validation, and that usually isn't user configurable. Short of reprogramming, compiling and distributing your own copy of chrome or firefox, it's not going to be a free option.
This is actually pretty common (unfortunately) within businesses that deploy SSL enabled sites internally to their employees (SSL VPN comes to mind) or externally (extranet).
With a self-signed certificate what you are saying is:
"If you trust me come on in!"
...and most browsers will warn the user to verify the trust. Some will simply choose to permanently trust the site and the certificate (again common in internal company apps/sites).
With a third-party trusted certificate what you are saying essentially is:
"If you trust insert 3rd party cert provider come on in!"
By default, browsers/OS' have a list (updated from time to time) of trusted providers of certificates. This list allows the browser (and therefore the user) to trust that a certificate is what it is says it is, and is issued to/for what it says it is. You can think of it similar to a notary public. The 3rd party is there simply to say "Yep, I issued them a certificate based on the validity of the info at the time".
So, whether you choose to deploy a self-signed cert or not is really up to you and your case/need. You'll need to decide whether your customers/users will care or need that "assurance" that a valid 3rd party cert can provide.
If you want a free SSL certificate, the best place I have found is StartSSL. It is not as user friendly as other places, but it is free for basic SSL certs and low priced one time fee for others, it is worth it. As for extended validation, all of the companies that offer them require proof of legal and physical presence of a business.