Recently our infrastructure team told our development team that you do not need a certificate for https. They mentioned that the only benefit of buying a certificate was to give the consumer peace of mind that they are connecting to the correct website.
This goes against everything I assumed about https.
I read wikipedia and it mentions you need either a trusted certificate or a self signed certificate to configure https.
Is it possible to configure IIS to respond to https without any certificate?
Best Answer
No. You must have a certificate. It can be self signed, but there must be a public/private key pair in place to exchange the session symmetric key between server and client to encrypt data.