0

I'm writing a system in C#, which consists of REST API server, written with HttpListener and WPF client app, with HttpClient and I want to use HTTPS.

As far as I know, on the server side all I have to do is run HttpListener with prefix with https and bind my certificate (creted for example with makecert) to proper port - now all communication is encrypted.

On the client side, I have to put the public part of certificate in Current User store, so that it can be trusted.

The server is not public, each client has his own instance accesible only after logging in to their VPN.

My questions: 1. Are self-signed certificates secure enough? Is generating new certificate for new client more secure(for example, from license data)? 2. How do I generate the "public part" and "private part" of certificate? How do I ship it?

It isn't a bank, so I don't want to overkill security, but I don't want to go "trust all certificates" way.

Krzysztof Skowronek
  • 2,796
  • 1
  • 13
  • 29
  • Are the machines within the Intranet domain-joined? If so, you might want to consider installing Certificate Services on a suitable server and managing certificates from there. – Damien_The_Unbeliever Oct 02 '17 at 14:16
  • well, it is a way, I don't think that every client would allow me to install something that pushes certificates through the network, and not everyone has Certificate Services already running to allow me just to add another cert – Krzysztof Skowronek Oct 02 '17 at 14:31

2 Answers2

1

I believe that you'll have to add the public key of the self signed certificate to the Trusted Root Certification Authorities store as well. That is offcourse cumbersome since you'll have to do this on every client ...

Can't you use certificates issued by LetsEncrypt ?

Frederik Gheysels
  • 56,135
  • 11
  • 101
  • 154
1

Security in general hinges on how well protected your private key is. The algorithm used can be the same as on a public signed certificate.

There is no inherit security gain or loss in using a self signed certificate.

The bigger problem is the distribution of your public key among the member systems. If you run a domain wide CA on your domain controller, it should be relatively easy.

If you do not, you might be able to do it via Group Policy.

In any case it requires admin intervention to get it to run on all your systems and again should the private key be compromised.

The problem arises should you have external clients not connected to your DC. Then LetsEncrypt is definitely the better choice.

Adwaenyth
  • 2,020
  • 12
  • 24
  • So, if I use Lets Encrypt (I didn't know that something like this exists), my WPF client app will accept that certificate automatically because LE is trusted and I would not need to push the certificate to client machines, right? – Krzysztof Skowronek Oct 02 '17 at 14:35
  • The public LE root certificate has to be within the computers local trusted root certificates store. If it is not you can however bundle that with your WPF app. Thus you do not need to distribute your self signed certificate to all systems which might change a lot more often than the LE root certificate. – Adwaenyth Oct 02 '17 at 14:41
  • thanks, could you point me to how to bundle trust root in my program? I have a strong feeling that I will need that knowledge in future :) – Krzysztof Skowronek Oct 02 '17 at 14:45
  • See [this question](https://stackoverflow.com/questions/12337721/how-to-programmatically-install-a-certificate-using-c-sharp). You will need elevated privileges for this if you want to store it per machine and not per user. – Adwaenyth Oct 02 '17 at 14:48
  • oh, I found that previously. I was wondering more about situation that some computers were not updated for a long time and might not know about LE. I will dig through their docs. Thanks again – Krzysztof Skowronek Oct 02 '17 at 14:55