views:

413

answers:

5

I need to secure communication between my application and my Web Service. I own both the application and the Web Service, and I was wondering if it is possible to use HTTPS to do so.

I don't need a certificate to prove to myself who I really am (!), so I don't want to buy an SSL certificate from a Certificate Authority. I just need to make sure no one can intercept the data I pass as WebMethod parameters; Can I create a free certificate and use that to secure communication?

One other thing: I don't want to be forced to get a dedicated, public IP address for my Web Service since it is hosted on a shared Web server.

A: 

There are many articles out there showing how to create and install a self signed certificate in IIS. What you need to remember is that this certificate will not be valid as it is not delivered by a certificate authority. Once you set a certificate on the server side you need to indicate to the client to accept the invalid certificate by using the ServerCertificateValidationCallback property:

ServicePointManager.ServerCertificateValidationCallback = 
    (sender, certificate, chain, sslPolicyErrors) => true;
Darin Dimitrov
But it still does secure the connection, yes? What about the public IP thing?
TheAgent
A: 

You can't use a SSL certificate (self signed or otherwise) without a dedicated IP address. Unless your shared hosting provider provides a shared SSL certificate on your IP, you will need to purchase a dedicated IP.

Robert
IP has nothing to do with SSL. SSL is secured through domain name. As long as the TTL on the DNS is kept short to prevent DNS caching of old IPs, there's no reason a non-dedicated IP can't be used for SSL.
Joel Etherton
The SSL protocol is currently flawed and only allows you to use one certificate per IP address (see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html.en#vhosts) If you are using a shared IP address, you will mostly likely not be able to install an SSL certificate to it because a web host won't let you.So, yes, it is technically possible to use SSL with a non-dedicated IP but it is unlikely on a shared IP.
Robert
A: 

If you want to go through the trouble of doing it, you can use a self-signed certificate and have a tertiary server (or use the IIS server that is self-signing) to be your own certificate authority. This would allow you to generate your own certificate for free, then since you have control over the servers, you could just add your CA server as a trusted and intermediary root certificate authority.

Creating Certificate Authorities and self-signed SSL certificates

Joel Etherton
+1  A: 

Definitely it's doable, but hinges on a few conditions.

  • Create your own self signed certificate. The lack of a certificate authority won't matter in your case because your app is your own consumer.
  • The host must allow you to configure your IIS site with an SSL cert. Hopefully the tools they provide are good enough.
  • The shared IP that your web site has currently cannot have more than one certificate bound to it. You're now at the mercy of your host to not move your site to a different IP. It may or may not have an SSL cert on another site at that time. Basically - the first one wins. An IP cannot have more than one cert-secured website.
p.campbell
A: 

i need to find public ip address using .net

surya