For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root.
If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.
This is all about trust. If you get a signed certificate from verisign you prove to random clients that your certificate is trusted. If you self-sign the certificate people not having your certificate installed on their computer cannot be sure that they aren't being attacked by an Man-in-the-middle attack.
If your webserver is just used by you, then you do not need a real CA (such as verisign) to sign your certificate. Just install the certificate on the machines that you want to use and you're good to go.
Edit: So to answer your question: Yes everything is encrypted and you can be sure no-one can read your sensitive data if you know that the certificate presented to the web browser is in fact the one you have setup the web server with.
Best Answer
Define the admin app inside a SSL connector.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html