rsa – What is the problem of using a self signed certificate for a game?

You don’t seem to understand the issue with self-signed certificates, so allow me to explain.

Generally, when people say “Don’t use self-signed certificates!”, they mean in the context of a web-server, in which you expect the general public to connect via a web server. In such a situation, if a self-signed certificate is used, this will lead to an error message:

Self-Signed Certificate Warning

Users will naturally want to ignore the warning and proceed – after all, that’s the only way for them to use your website. So if an attacker intercepts the connection and presents his own self-signed certificate, the user would not be able to see that. After all, the error message is seen as a natural part of the process.

Self-Signed Certificates in other settings

Companies usually have a self-signed certificate as a root-certificate for internal services. This certificate is distributed internally (usually via Active Directory) and thus trusted by all clients.

This is a normal setup and works as intended. If an attacker would attempt to intercept the connection, an error would occur, as his certificate would not be trusted.

Self-Signed Certificates for your game

I assume that you have a server, which manages the game state, and a game client (likely a native client). In this situation, there is nothing wrong with using a self-signed certificate. Simply distribute the certificate with the client and keep the private key on the server.

Can the attacker just steal the private key?

Only if your server has a vulnerability, which would allow the attacker to do so. But that risk would also exist with a certificate signed by an external certificate authority.