Makecert certificates safe?

Question

I made an application, which communicates over the. net SSLStream, and for developing I used makecert.exe to create a self signed ssl certificate. Now Ive read in some microsoft article, that makecert should be used for testing only.

Now my question is: is the application safe with this cert, or which program can i make a safe and comparible cert?

Any help will be greatly appreciated

Edit: The self signed Certificate is hardcoded into the client application and it compares it everytime it establish a connection, so man-in-the-middle attack couldnt work, but how random are the makecert Certificates?

Answer 1

I would recommend using OpenSSL to create a self-signed certificate used for production environment. I've never made thoughts about makecert.exe. To be honest: You want to achieve an encrypted transfer of your data using SSL between your Application and the server.

The hole certificate wont be displayed to the "user/customer". The only reason nowadays is to embedd a badge with "this is a secure page" to the page on which SSL is enabled.

If you are looking for this, you will definitely need a signed Certificate from a CA. If you are thinking about this, i recommend StartSSL, because it's far the cheapest and offers you for one time validation nearly unlimited wildcard certificates. Its trusted by microsoft and you can create a code-signing-cerficiate for free. (Onetime fee for validation only).

Concerning the randomness and security of the certificate:

If you are validating the fingerprint of the certificate you are connecting to, there should be less security concerns. (i.e. Fiddler won't work this way).

SSL is based on RSA Algorithm so when generating a private/public keypair with a keysize of 2048 or even 4096 (max. on StartSSL) there shouldn't be any security concerns. How to create the Certificate you will find here If you wont trust RSA, you shoudn't trust anyone ;)

Keep in mind that most universities using self signed certificates created using OpenSSL. Its now FIPS certificated and allowes you a wide bunch of settings to achieve fit your system.

Answer 2

It's safe if you find some secure way to get the certificate to everyone who uses your application. Otherwise, they'll have no way to know they're really talking to your application. Anyone else can run makecert just like you did, and nobody will have any way to know whether they're really talking to you. A certificate issued by a CA bind your identity to a certificate, allowing clients to know they're really talking to the right service.

When you punch https://www.amazon.com into your browser, how do you know you're sending your credit card information to Amazon and not an imposter? Well, Amazon has a certificate that was issued for www.amazon.com by a certification authority. An imposter could not get such a certificate -- the authority wouldn't issue it.

But if Amazon used a self-signed certificate ... well, anyone can do that. So how would I know I was actually talking to Amazon? I would have to know ahead of time which self-signed certificate that claimed to be for www.amazon.com was the right one. I wouldn't have a CA's stamp of approval to tell me.

Answer 3

you hardcoded your password (as a long cert) into your application, and you are asking if it's safe?

all I need is a copy of your code or wherever you stored it and I can hack all the apps you ever write. plus you cannot update or change it.

Answer 4

Self-signed certificates say essentially "I certify that I am I. Signed: I". Look up how to set up you own certificate authority (it depends on your choosen environment, and there are several options). Use that authority to issue certificates, and set the servers and clients to trust your CA. No need to pay $$$$ for them, plus you know exactly under what conditions you hand out certificates.