It will be perfectly secure. And it will help you only in half. Probably you don't completely understand the role of server-side certificate, that's the only problem.
Consider your user is a member of your team or a friend who knows your URL and you passed the certificate's public key directly to this person, so she/he will know for sure that this data came from you, not from some malicious artist trying to impersonate you. Then, this person can use your site and trust it some sensitive data or monetary transaction to exactly the same degree as it was you. This person, in case of some doubt about possible spoofing, can request the certificate from your site and, get the key and compare the data with the data you have. This schema based on open-key encryption guarantees that the site this person uses is authentic. And then, HTTPS (SSL) will guarantee secured communication between the site and the client. Everything is perfectly safe.
The only problem is: what if this is somebody else who needs to use your cervices which require authentication? The privacy of communication is guaranteed by the technology, but look, anyone can mimic your site and use spoofing to represent some malicious site as it was yours. Such malicious site, for example, can collect private information from your mislead customers, such as passwords and data which could be used for, say, identity theft. You can read about such thing:
http://en.wikipedia.org/wiki/Website_spoofing[
^].
So, here is what happens: this cheater can also generate the certificate, exactly the same way as you would do. What is the difference? There is no a way to provide a public key for your user, to tell good from evil, in some independent secure channel. In both cases, the browser will show that the certificate is signed by unknown party. So, in this situation, the HTTPS mechanism will be perfectly safe. For you. But it won't assure a user that your site should be trusted. Well, only the security-savvy users will really care, but nevertheless… Are you getting the idea of the problem?
Here is is where the
certificate authority come into play. The authority makes no difference except just one: the
certificate chain leads up to the authority which is reputed and well-know. In turn, this authority does not guarantee that your site is safe and your intentions are good. It will only certify that the name, or identity of organization recorded in the certificate (and other identity data, such as dates) are the same as you claim in the content of your site. If your site claims that it represents John Doe, the certificate authority will certify in a way that cannot be technically spoofed, that the certificate was also issued in name in John Doe.
For further information, please see:
http://en.wikipedia.org/wiki/Certificate_authority[
^],
http://en.wikipedia.org/wiki/Trusted_third_party[
^],
http://en.wikipedia.org/wiki/Public_key_certificate[
^],
http://en.wikipedia.org/wiki/Public-key_encryption[
^],
http://en.wikipedia.org/wiki/Digital_signature[
^].
—SA
Submit an article or tip