I have an application which exposes multiple WCF services (each a distinct facade for different client applications). Right now I'm managing a distinct certificate (created from our internal certificate server) per service (and I do this for multiple environments, e.g. dev, qa, staging, prod).
MSDN seems to suggest that this certificate is not only used for encrypting communications but also to "authenticate the service to clients", suggesting distinct certificates should be used so that one service is distinguished from another, even on the same server. However, I feel like I could "cheat" and use the same certificate (at least per environment) on all of the services -- essentially an application-level certificate. It would still ensure the services are from the proper application.
So how much of a "cheat" is this? Am I bending the rules too far? Obviously, it's my application and my services, so I'm free to do what I want -- but I want to keep from coloring too far outside the lines.
