I want to create WCF services using aspnet membership to authorize the user. However, if I just need the certificate for encryption purposes only, does it matter if it is a self signed certificate or do you need to buy a certificate from a vendor?
+1
A:
You could use self-signed certificates, but the problem there is that you have to install the certificate on each and every machine that will use the certificate for encryption.
If you have a large number of machines that the clients will run on, this can easily become prohibitive from a maintenance and configuration point of view and it would easily justify the purchase of a certificate from an authority.
casperOne
2010-02-19 19:26:41
Is there a simple way to expose your public key to the world?
2010-02-19 19:47:02
@user190084: Well, the mechanism in place now is to have it issued by a root authority, which is what I assume you are trying to avoid (for cost reasons, if I assume correctly). You could simply expose it as a link somewhere, but that still leaves it up to the end user to install the certificate on their machine, and that's a trust decision you are asking them to make. With root authorites, it's easier to get them to accept, because *everyone* accepts them, for the most part. Short answer, buy the certificate.
casperOne
2010-02-20 00:24:59
+3
A:
A self-signed certificate regardless of whether you authenticate the user carries the same risks. Best practice is to use a real cert in a production environment. With some very cheap prices these days, it's not much of a financial burden to take on any more either (unless you're a stickler for Verisign).
It's been discussed and noted that self-signed certs in a production WCF environment also come with heavy performance issues:
KP
2010-02-19 19:28:51