OK, there’s a few things to address here, I’ll do my best without going down the NSA rabbit hole. (believe me, I’m probably just as upset over the NSA revelations as you are, if not more).
All SSL certs are “real” in the sense that they are an SSL cert. Obviously… – however, a self signed cert is not “trusted” by any device, program, operating system, computer, phone, etc on this planet by default. This is because your certificate is not “signed” by a globally “trusted” Certificate Authority. The CA’s basically are vouching that your server is who it says it is. That’s all.
If you use a Self Signed cert, basically your cert tells anyone who is connecting via a program, webpage, etc, that your server is who it says it is, because it says so. Basically, you’d have to take the server’s word that it’s the actual server you think you are connecting to. This is horrible sevurity, and is the reason why self signed certs are not used in production applications unless the entire environment is controlled, ie. a corporate network running some intranet applications that are internal-facing only – because the admins can go around to every computer and download the self signed cert and install it in the computer’s “trust store”. Obviously a lot of manual work… and it adds zero additional security.
I want to repeat, a self signed cert is not more secure than a CA signed cert. In fact, they are identical. The only difference between them, is the self signed cert isn’t trusted by anything, whereas the CA Signed cert is usually guarunteed to be trusted by 99% of everything.
A CSR (needed to get a signed cert from a CA) does not disclose any information about your server other than it’s hostname, and your company information (name, department, location, etc).
The NSA is not capable of breaking SSL certs that are of 128bits and more (just about all of them are). The NSA has been brute forcing lesser-secure things, yes, but SSL is not broken (otherwise the internet would be in a HUGE panic). Yes, TLS is the next iteration of web security and I do advise making a switch when possible… but also realize there are problems with TLS such as not all things can negotiate connections yet over TLS. Old browsers and programs simply don’t “speak” TLS yet.
Even if CA’s were malicious in nature (some may be, who knows), what could they really do that would compromise your security? Give the NSA your name and business name and address? That’s hardly a secret if you are a company anyways. Give the NSA your CSR? Great, the NSA can generate a cert in your name, but it won’t work and wont be trusted unless they hijacked your DNS and pointed it to their [spoofed] servers. See, the creators of SSL thought of all these things already, since there is always a large interest for someone to break SSL (not just the NSA are interested in breaking SSL, since SSL was created people have tried to break it).
In a long winded conclusion – don’t worry so much about this. if you are running a public service of some kind, you will need to get a properly CA Signed cert, otherwise you won’t have users/customers for very long. If you are doing a home project, something for a few friends, or in a completely controlled environment such as a corporate network, then a self signed cert is ok. As with most things, there is a proper time and place for them.