Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Developer certificate vs purchased certificate for WCF

I understsand that if I want to use authentication in WCF then I need to install a certificate on my server which WCF will use to encrypt data passing between my server and client.

For development purposes I believe I can use the makecert.exe util. to make a development certificate.

What is the worst that can happen if I use this certificate on the production environment?

and...

Why cant I use this certificate on the production environment?

and ...

What is the certificate actually going to do in this scenario?

[Edit: Added another question]

finally...

In a scenario where the website has a certificate installed to provide HTTPS support can the same certificate be used for the WCF services as well?

Note on my application: Its a NetTCP client and server service. The users will log in using the same username and password which they use for the website which is passed in clear text. I would be happy to pass the u/n + p/w in cleartext to WCF but this isnt allowed by the framework and a certificate must be in place. However, I dont want to buy an certificate due to budget constraints!

(Sorry for the possibly stupid question but I really dont understand this so would welcome some help with this).

like image 574
Remotec Avatar asked Mar 24 '10 09:03

Remotec


2 Answers

Well, nothing major will happen if you use a developer certificate in production environment, after all, a certificate is a certificate and the encryption it provides is the same as any commercial certificate.

However, as the certificate isn't signed by a trusted Certificate Authority, it doesn't guarantee to the client that you is you. Let me put this in another way: if your service were a simple web page the browser would say the certificate is invalid.

A certificate to provide SSL in a web server, is a certificate that tells the client that the domain is a trusted and verified domain, and that the Certificate Authority can vouch for it.

So, a certificate made by makecert.exe would be as like you writing your name in a piece of paper and telling, say an officer of the law, that this your driver's license.

like image 182
Paulo Santos Avatar answered Sep 19 '22 00:09

Paulo Santos


  1. A certificate needs to be issued by a so-called Certificate Authority to be trusted. Self signed certificates (created by makecert etc) are not trusted, and everybody that will browse to your website will receive an 'Invalid certificate' (more specific: 'The certificate is not trusted because it is self-signed') warning. So, worst case, people won't go to your site, because they don't trust it.

  2. You can use your self signed certificate in production, but it is not advisable for reasons explained above.

  3. The certificate is used to establish a secure connection (HTTPS) between the client and the server. Next to that, it is meant to verify the server's identity. The identity of your server can not be guaranteed if your certificate is self-signed.

  4. In IIS, if you install a certificate in a web site, all WCF services deployed under that web site are able to use the certificate.

In short, use a self-signed certificate for development (look into a tool called SSL Diagnostics for easy certificate generation in IIS), but really do use a production certificate for production!

like image 23
Eric Eijkelenboom Avatar answered Sep 21 '22 00:09

Eric Eijkelenboom