We've developed a WCF web service that is hosted on our own servers.
The consuming/client application is installed on a machine that we provide (most of the time) to the actual clients. But either way, our software is all the box is used for.
Is it necessary for us to purchase an "official" Root CA, like one from VeriSign or Thawte? Or can we just use a self-signed CA generated with makecert? I am inclined to say no we don't need a "real" one, because since we created and are installing the software
on the boxes we know that the software is safe... But I am very new to WCF and this type of security, so there's the large possibility that I'm wrong.
The way it is set up currently involves the client side having the self-signed CA in the Trusted Root CA store, as well as the Client cert in the Personal store, and uses ChainTrust as the validation mode.
View Complete Post