Re:Always. (Score 1)

An X.509 certificate is a binding of a subject name to a public key. *Everything* in an X.509 certificate is public information.

It does not provide encryption - just the information used by software that provides services in a public key infrastructure.

To the meat of the question: if you know what you're doing, it is appropriate to use self-signed certificates in internal applications that need to use public key encryption. This would include, but not be limited to, situations where internal/intranet services need to communicate to other intranet services. I would not recommend it for public services (like https:, for example). The reason is simple: there would be no mechanism for the client to verify the authenticity of the server certificate.