I'm working both an iOS App and a server that it interacts with. Confidential information will be going back and forth between the two meaning that it's important that their communications are encrypted. I'm confused about HTTPS/SSL and the certificate(s?) involved. What exactly is the purpose of a certificate authority? I vaguely get that somehow it's supposed to tell the client application that they can trust that the only person who can decrypt the messages that they encrypt is who they think it is (that is, that a man-in-the-middle attack has not taken place). But it seems to me that I could just have a self-signed certificate. The client applications would know they could trust the server because they'd be downloaded from the app store already knowing the fingerprint of the proper certificate and so they'd be able to see that it was correct without needing to rely on a certificate authority. Am I naïve in thinking that I can just use a self-signed certificate? If a self-signed certificate is adequate, then my next question is, how do I obtain a self-signed certificate? Then my final questions (for now) whether I end up needing a self-signed certificate or one from a certificate authority are: 1 - What changes do I need to make to my server? My stack is OS X, Apache, Python, Django, Django Rest Framework... I think that using the self-signed certificate means some kind of change to Apache, but I'm not exactly sure. 2 - What changes do I need to make to my iOS App? It's using MKNetworkKit.