A convertible authenticated encryption scheme allows a designated receiver to recover and verify a message simultaneously, during which the recipient can prove the dishonesty of the sender to any third party if the sender repudiates her signature later. In this paper, after showing some weaknesses in Wu and Hsu [T. Wu, C. Hsu, Convertible authenticated encryption scheme. The Journal of Systems and Software 62 (2002) 205–209] and Huang and Chang [H. Huang, C. Chang, An efficient convertible authenticated encryption scheme and its variant, in: Proceedings of the ICICS2003-Fifth International Conference on Information and Communications Security, Springer-Verlag, LNCS 2836, 2003, p. 382] convertible authenticated encryption schemes, we propose a practical convertible authenticated encryption scheme using self-certified public keys and then extend it to one with message linkages when the signing message is large. Each scheme could provide semantic security of the message, the signer’s public key can be simultaneously authenticated in checking a signature’ validity and only under the cooperation of the recipient could a verifier know to whom a specific signature is sent. Finally, we give a variant that could make a verifier know to whom a signature is sent while verifying its validity.