The certificate of JOSM's site was for a long time self-signed because of a lack of free certificates from certification authorities for open source projects. Since January 2014, we use a free certificate provided by GlobalSign through its Open Source initiative.
In case you want to be absolutely certain that the certificate you fetched is really the legit one, verify that the certificate's SHA1 fingerprint is C5:8A:CF:54:15:7D:37:1F:21:6D:5D:92:B4:B4:FA:3A:3C:AA:14:6C. It very likely is.
The certificate is also available for download.