look at openvpn team, they use selfsigned certs together with ca.crt, and y also can publish your site ca.crt on your web. you can show server and cliennt ip/domain on web page, so, you can100% avoid mitm attacks.

self-signed SSL certificates provide one thing, and one thing only: Encryption between the two ends using the certificate.

Both certificates will generate a site that cannot be read by third-parties. The data sent over an https connection or SSL, will be encrypted regardless of whether the certificate is signed or self-signed. http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm