Self-signed TLS certificates in Intranet

Question

I'm writing a system in C#, which consists of REST API server, written with HttpListener and WPF client app, with HttpClient and I want to use HTTPS.

As far as I know, on the server side all I have to do is run HttpListener with prefix with https and bind my certificate (creted for example with makecert) to proper port - now all communication is encrypted.

On the client side, I have to put the public part of certificate in Current User store, so that it can be trusted.

The server is not public, each client has his own instance accesible only after logging in to their VPN.

My questions: 1. Are self-signed certificates secure enough? Is generating new certificate for new client more secure(for example, from license data)? 2. How do I generate the "public part" and "private part" of certificate? How do I ship it?

It isn't a bank, so I don't want to overkill security, but I don't want to go "trust all certificates" way.

Answer 1

I believe that you'll have to add the public key of the self signed certificate to the Trusted Root Certification Authorities store as well. That is offcourse cumbersome since you'll have to do this on every client ...

Can't you use certificates issued by LetsEncrypt ?

Answer 2

Security in general hinges on how well protected your private key is. The algorithm used can be the same as on a public signed certificate.

There is no inherit security gain or loss in using a self signed certificate.

The bigger problem is the distribution of your public key among the member systems. If you run a domain wide CA on your domain controller, it should be relatively easy.

If you do not, you might be able to do it via Group Policy.

In any case it requires admin intervention to get it to run on all your systems and again should the private key be compromised.

The problem arises should you have external clients not connected to your DC. Then LetsEncrypt is definitely the better choice.