I have generated a self signed certificate .This self signed certificate is stored in server and accepts request only from clients which is having this self signed certificate is this acceptable. since this HTTPS endpoint is supposed to be used only from our custom HTTPS client I strongly feel that CA signing is not required . But my colleagues are warning that Self signed certificate should not be used in production environment no matter what .what should I do ??
There is a set of policies, processes, and procedures defined in what is called PKI, to manage the life-cycle of the certificates, PKI (Public Key Infrastructure). The CA's are part of it, and help you manage the certificate issuance and revocation.
In general it is not advised to use self-signed certificates in production environment, because you loose the life-cycle management of the certificate.
The ideal solution/implementation in your case, will actually be issuing the clients their own PKCS12 from the CA as well, which means they will have their own private key. This is most secure way of doing it. If you know a client is compromised, you can revoke that client's certificate from the CA, and if your client app does certificate validation (ideally should), it should no longer be able to communicate with the server. You can simply decommission that client.
Just an idea
Since you mentioned internal calls, you could have your server issue P12's to the clients, and your server maintaining a record of which client has what certificate. This gives you little control of managing the clients. You could enable certificate based authentication (mutual authentication) on the server side for those services, you can authenticate the client by the certificate supplied in the https layer and identify which client is trying to communicate. This gives you control to disable that client from being served by the server if needed.
But to answer your concern, it is not ideal to use self-signed certificate because, in real world, you should be able to manage the certificates in real time or near to real time, which will not be possible if you don't have a PKI solution in place.