Re: Certificates are the illusion of security
"Therefore, although they COULD in theory sign a fake cert of their own and have it accepted by some browsers as being valid credentials for your site and then man-in-the-middle your server so that they accept connections with THEIR generated private key instead of yours, almost any modern browser will throw a fit when they try this."
very true. I've been deep into researching cert-land over the last ~2 weeks (and some prior). A summary of what I've found: you can be your own CA, but you have to load the root (and other) certs onto the target machines somehow (let's say an application installer program, like the one I recently open sourced). Like with a self-signed cert, however, you throw warnings in web browsers.
Internet Explorer uses Windows' system cert store, and you can have an application installer (let's say) install new root certs to prevent warnings. Incidentally, this can happen without your knowledge from any application running with 'Admin' privs, calling the right functions.
Firefox and other browsers often have their OWN cert stores separate from the OS, so you'll have to get past THEIR security and warnings to load new root certs.
Intarweb filtering appliances often use the 'MITM' technique as part of their operations (did you mention those? I might've missed it), so IT people must load the appliance's root certs on everyone's workstation by policy or manually [whichever].
As for code-signing, kernel drivers require a "microsoft signature" to load from bootup, but they can dynamically load after boot using regular signed certs (so load your root and signing certs and your drivers will work post-boot, but not during boot). Enabling 'self cert' lets you test things, but apparently shuts off DRM-related things. Not like I need them...
Microsot has also added an even BIGGER "tollbooth" with regards to signing requirements in windows 10, allegedly for quality assurance, but most likely to put even BIGGER roadblocks and tolls in place for independent devs and open sourcers, and maybe lock us into all using windows 10 and playing by THEIR rules forever. That's my opinion, ok.
As for web site certs, self-signs work, but throw a warning (typically) as you pointed out. If you accept the cert by ignoring the warning, https will work just fine like it was meant to be.
openssl can create certs easily, and there are several good online resources on how to do this (including my own web page on being your own cert authority). So yeah, the info is a search engine away. code-signing resources go through Microsoft's "circle jerk" documentation hell, so it's harder to find THAT information without time and frustration.
And related, MS's own examples for code signing self-certs actually create certs that use sha1. But sha256 works fine for code signing certs as far as I can tell (creating my own, of course). But I did see some odd behavior in the kernel debug output in Win 7 checked build when using sha256, some assert about the hash length being larger than some value...
hopefully not 'too long' forcing 'did not read'