What's the deal? Why don't they have a legitimate certificate?
Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.
The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.
Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.
and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert. I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.