Rest-server - Is self-signed certificate secure for production usage?

The rest-server documentation says:

Signed certificate is normally required by the restic backend, but if you just want to test the feature you can generate password-less unsigned keys with the following command:
openssl req -newkey rsa:2048 -nodes -x509 -keyout private_key -out public_key -days 365 -addext "subjectAltName = IP:127.0.0.1,DNS:yourdomain.com"

That left me confused. What about the above means that its only for test? Is it that its password-less or unsigned keys (whatever that means).

As far as I know, the certificate grants cryptographic security that the client is talking to the correct server. The rest-server authentication password grants knowledge that the server is talking to an authorized client.

So far so good. But is there anything else. Am I missing something. Or should we amend the documentation a bit?

Alexander mentions the security here and from that I also deduce that it should be fine. But I would like confirmation from someone who knows more about it than I do.

Thank you.

And PS: It really was pretty easy getting the rest server https configured. Pretty nice!

It is secure as long as you pass the certificate to restic using the --cacert option (and don’t use --insecure-tls).

Normal usage of TLS certs usually involves certificates that were signed by a Certificate Authority (CA), which won’t be the case for a self-signed certificate. However, if you have the means to distribute the certificate to the client and to keep it up-to-date there, then a self-signed certificate works as well.