I purchased a domain name. I set up a website that is deployed on Apache, that is accessible at my domain, currently on http protocol "port 80". I now want to configure this Apache server for SSL. I'm evaluating the below 2 options.
Option #1: I create the "Certificate Signing Request" (CSR), then while acting as the CA, I create the certificate based on the CSR, I then configure Apache to be running on port 443, with the certificate I created.
Option #2: I create the CSR, I submit my CSR to a widely known CA like Symantec to get a certificate. I then configure Apache to be running on port 443, with the certificate provided by Symantec.
What are the downfalls to option #1?
From an end-user perspective "someone accessing my site", what indications would they have that I used option #1?
Is it correct to assume, with option #1, that I couldn't get end-users accessing my site to get a green bar menu?
With option 1 the end user has no confidence they are not being spoofed. Because you are acting as your own CA the end user has to make a decision about whether to trust you. If they do - they may well be trusting someone who has intercepted your request and used their own certificate.
With option 2 the user is trusting the CA that provided your certificate and can be more confident that no man-in-the-middle attack is taking place.
For some purposes your own self-signed cert can be fine. Not for any real ecommerce though.