How can I verify a self-signed certificate?

Question

I am currently writing a desktop app which will need to communicate with PHP scripts on my remote server via https(with a self-signed certificate). The server-client communication code is still in the planning stages, however because I haven't yet figured out how to verify (on the client) that I am actually communicating with MY server. I'm presuming that there is some way to verify the servers identity using the certificate. I am intending to use WinHTTP for the https communication, providing it has all of the functionality that I need.

Answer 1

To greatly oversimplify things: clients verify the server's certificate by using a hardcoded list of trusted certificate authorities. The certificate authority list is an internal list of certificates that's baked into the client, and the client verifies that the certificate presented by the server is signed by one of the certificate authorities that the client trusts.

So, no matter what you end up doing, your client will have to keep some kind of a list of certificates that it trusts. This is a fundamental aspect of the TLS trust model. You could simply include your self-signed certificate with the client, and the client verifies that that your server presented the same certificate.

But the right answer is to run your own certificate authority. It involves some additional advance prepwork, but the end result will work much better. Instead of the several dozen, or so, standard certicicate authorities that are either included in your operating system, or your browser, your client will have exactly one trusted certificate authority in its trust list: your own certificate authority, and your client will verify that your server's certificate is signed by your certificate authority.