- Self Signed Certificates (not recommended)
As every certificate must be signed by someone, this only leaves the owner himself to sign his own certifcate, creating a self-signed certificate. At this moment the creator of the self signed certificate is not trusted. For a self signed certificate, there is no chain of trust above the certificate itself - the owner is its own cerification authority. For a client to trust the certificate, it must be explicity told that the certificate is trustworthy by adding the certificate as a trusted root CA. Generally, self signed certificates should never be used outside of development scenarios.
- Company CA
An alternative to a trusted "public" CA, particularly for larger organizations, is running a private company CA. In companies with a private company CA, the company CA's root certificate is configured as a trusted root on all of the company's devices. This enables the company to issue and sign their own certificates which are trusted by all company devices.
- LetsEncrypt Certificate (recommended)
LetsEncrypt is a non-profit service that offers free SSL certificates for web servers and uses an automated validation and renewal system. For validation the owner, LetsEncrypt employs a "don't call us, we'll call you" approach similiar to a two-factor authentication. LetsEncrypt sends the owner of the domain a secret key. After that LetsEncrypt calls the domain the certifcate is requested for and asks for the secret key. LetsEncrypt offers various ways in which it can call the requesting server back. This callback is mandatory, LetsEncrypt can only work for servers that can be reached by LetsEncrypt. The domain must be accessible via public internet.