Securing an ASP.NET Web Service using SSL, without dedicated IP address on the Server

I need to secure communication between my application and my Web Service. I own both the application and the Web Service, and I was wondering if it is possible to use HTTPS to do so.

I don't need a certificate to prove to myself who I really am (!), so I don't want to buy an SSL certificate from 开发者_Go百科a Certificate Authority. I just need to make sure no one can intercept the data I pass as WebMethod parameters; Can I create a free certificate and use that to secure communication?

One other thing: I don't want to be forced to get a dedicated, public IP address for my Web Service since it is hosted on a shared Web server.

Definitely it's doable, but hinges on a few conditions.

• Create your own self signed certificate. The lack of a certificate authority won't matter in your case because your app is your own consumer.
• The host must allow you to configure your IIS site with an SSL cert. Hopefully the tools they provide are good enough.
• The shared IP that your web site has currently cannot have more than one certificate bound to it. You're now at the mercy of your host to not move your site to a different IP. It may or may not have an SSL cert on another site at that time. Basically - the first one wins. An IP cannot have more than one cert-secured website.

There are many articles out there showing how to create and install a self signed certificate in IIS. What you need to remember is that this certificate will not be valid as it is not delivered by a certificate authority. Once you set a certificate on the server side you need to indicate to the client to accept the invalid certificate by using the ServerCertificateValidationCallback property:

ServicePointManager.ServerCertificateValidationCallback = 
    (sender, certificate, chain, sslPolicyErrors) => true;

You can't use a SSL certificate (self signed or otherwise) without a dedicated IP address. Unless your shared hosting provider provides a shared SSL certificate on your IP, you will need to purchase a dedicated IP.

If you want to go through the trouble of doing it, you can use a self-signed certificate and have a tertiary server (or use the IIS server that is self-signing) to be your own certificate authority. This would allow you to generate your own certificate for free, then since you have control over the servers, you could just add your CA server as a trusted and intermediary root certificate authority.

Creating Certificate Authorities and self-signed SSL certificates