security - Is it secure to check a self-signed certificate based on it's fingerprint? -

i develop small system consisting of embedded server (including small display) , mobile devices (at moment android phones).

these mobile devices should able talk embedded server on secure channel. purpose, server generates self-signed ssl certificate during first boot process.

if new mobile device should connected server, server displays qr code consisting of:

• server ip
• ssl certificate fingerprint
• random device id

the user scans qr code using mobile device. mobile device connects server , checks whether ssl certificate fingerprint matches 1 scanned before.

is considered secure? if not, how solve problem?

an alternative approach:

on very-first boot, server generates certificate request , sends central ca server signs certificate. client devices has installed ca certficate , verifies server certificate against it.

however, send certificate request ca server , signed certificate. (one propably implement authentication ca server using "master key" once extracted system image, whole authentication becomes useless). in addition setup requires central server avoid since product may used in "offline" environment.

yes, considered secure because fingerprint of server's certificate transferred client via trusted mechanism (being physically next server receive fingerprint via difficult tamper transport mechanism). if mitm attack attempted after initial setup, though server name same, different keys have been generated fingerprint different , client detect , can appropriately reject communication.

it argued method more secure because client not need trust 3rd party verify authenticity of certificate. cas issue fraudulent certificates.