I have two applications (.net) on two web-servers. The first application will need to do a request (via WebClient) to the second and get results.
I need to ensure Encryption, data integrity, and authentication.
Let's say I create a self signed certificate. I bind it to the 2nd application and also add it to the certificate storage of my first application (and also add it on my webclient).
Will this be enough (security wise)?
In using a self-signed certificate, you essentially face the same risks as a certificate authority. Mainly, you need to make sure your private key is kept secure. This is ensured using a number of methods.
Firsty, use a HSM (hardware security module) to store your private keys and perform encryption. Your cloud hosting provider may provide this service.
Secondly, the certificate you use for TLS encryption will typically be at the third level in a certificate chain. This stackexchange page, for example has a certificate chain like this:
DigiCert Root CA (25 years before expiry)
|
DigiCert Server CA (15 years before expiry)
|
*.stackexchange.com (1 year before expiry)
This makes it easy to rotate keys, before they get leaked or cracked, without having to regularly update the certificate store. Of course, since you have control over the certificate store, you can change the certificates as often as you like without need for such a chain.
Thirdly, I once read somewhere that you should change the system time to a random value when generating the private key, since system time is used as part of the seed for random generation. The system time is 'leaked' in the valid from field of the certificate to the nearest second, causing a small loss of entropy. Though I think you'll still have plenty of entropy left over, so maybe skip this step. :)
Also, make sure you're always using the latest version of TLS.
