Self-signed cert is probably a bad idea in pretty much all cases. But implementing your own CA is a different story. And the answer to your question for your own CA is the usual - "it depends" :)
For an external web application/web service/API/... it is pretty bad. Users will run into certificate errors with their browsers or the code. Some will be smart enough but many will be scared away. Not good for your growth plans :)
For an enterprise web apps it is a completely different game. Pretty much you MUST setup your own CA (for example, it would allow you to spy on your employees - if you are paranoid about leaking secrets to competitors or press). The usability issue is not a problem since the laptop/desktop will be configured by the IT team anyway and they can setup the trusted certs along the way.
Lastly, for your internal mid-tier services (you are following SOA, right?) having your own CA would allow you to create as many certs as needed fast and "for free". Thus, you can easily implement cert based authentication and separate roles for different mid-tier/backend services. By implementing the usual security measures to protect private keys (including root CA keys), you actually get a much better security than using one "real" cert for everything. Again, configuration should not be a big deal since you are controlling internal services and network anyway.
For an external web application/web service/API/... it is pretty bad. Users will run into certificate errors with their browsers or the code. Some will be smart enough but many will be scared away. Not good for your growth plans :)
For an enterprise web apps it is a completely different game. Pretty much you MUST setup your own CA (for example, it would allow you to spy on your employees - if you are paranoid about leaking secrets to competitors or press). The usability issue is not a problem since the laptop/desktop will be configured by the IT team anyway and they can setup the trusted certs along the way.
Lastly, for your internal mid-tier services (you are following SOA, right?) having your own CA would allow you to create as many certs as needed fast and "for free". Thus, you can easily implement cert based authentication and separate roles for different mid-tier/backend services. By implementing the usual security measures to protect private keys (including root CA keys), you actually get a much better security than using one "real" cert for everything. Again, configuration should not be a big deal since you are controlling internal services and network anyway.