multiple services with same self-signed certificate

Question

I've got a WCF intranet application I'm working on that will have 150 clients controlled/monitored by a control application. Is it kosher to create a self-signed certificate and install this same certificate on each of the 150 clients?

I want security between the client and server but will not have authentication support from a domain controller et al.

Any pitfalls in using the same certificate on all these clients?

Answer 1

The pitfall is you won't really be able to distinguish between them unless they're passing some other form of identity along with the request. Plus, if one of them is compromised, you essentially have to shut your entire service off because they all use the same certificate. IMHO you want to create a client certificate per partner to avoid these problems.

The question I have though is, why aren't you just using transport security (i.e. SSL) instead of message security if all you care about is securing the communication and not providing identity?

Answer 2

absolutely not. Websites use the same certificate for thousands/millions of users. Only the server will be able to decrypt the information of each client.

Answer 3

If the certificate is compromised, you will need to revoke it, generate a new one, and install it on every machine. If each machine had their own, you would only need to revoke the one that can no longer be trusted, generate a new one, then install once.