Certificates are used to establish trust in secure communication. In simple terms, they help prove identity when two systems connect.
1. Server certificate
This is the most common use.
The server presents the certificate to the client so the client knows it is talking to the right system.
Example use cases
-
public website
-
internal web portal
-
REST API endpoint
-
CDN custom domain
-
load balancer HTTPS endpoint
Example names
-
portal.company.com -
api.company.com -
admin.internal.company.com
If a user opens https://portal.company.com, the server or load balancer presents the certificate. This is normal server-side TLS.
Where it may be installed
-
Application Load Balancer
-
CloudFront
-
API Gateway
-
IIS / nginx / Apache
-
Network Load Balancer with TLS listener
2. Client certificate
Here, the client presents a certificate to the server.
This is used when the server wants to verify who the calling system is.
Example use cases
-
machine-to-machine integration
-
secure partner API access
-
device authentication
-
VPN authentication
-
service account authentication without username/password
Example names
-
integration-client.pfx -
partner-api-client-cert -
device-auth-cert
If an order processing service calls a supplier API and sends a client certificate during the HTTPS connection, that is client authentication.
3. Mutual TLS (mTLS)
In mTLS, both sides present certificates.
-
server proves its identity to client
-
client also proves its identity to server
Example use cases
-
B2B integrations
-
secure internal service-to-service calls
-
healthcare or banking APIs
-
zero-trust internal APIs
Example names
-
payments-api.company.com -
partner-gateway.vendor.com -
inventory-service.internal.company.com
If inventory-service calls partner-gateway.vendor.com and both sides validate certificates, that is mTLS.
Where certificates can be installed
On a Load Balancer
Used when TLS terminates at the load balancer.
Example use cases
-
one entry point for many websites
-
centralized HTTPS management
-
host-based routing for multiple apps
Example names
-
shop.company.com -
careers.company.com -
support.company.com
A load balancer presents the right certificate based on the hostname.
On the Application Server
Used when TLS terminates directly on the server.
Example use cases
-
legacy applications
-
internal admin tools
-
direct server-hosted portals
-
applications not behind a centralized ingress
Example names
-
reports.internal.company.local -
admin-node-07.corp.local -
legacy-app.company.local
The certificate is installed directly on the server and bound in IIS or nginx.
In the Windows Certificate Store
Applications or IIS can load certificates from the Windows certificate store.
Example use cases
-
IIS-hosted website
-
.NET Windows service
-
internal scheduler calling external API
Example names
-
client-auth-service-cert -
portal-web-cert -
erp-integration-cert
As Files
Certificates may also exist as:
-
.pfx -
.pem -
.crt -
.key -
.jks
Example use cases
-
Linux web servers
-
Java applications
-
containerized services
-
outbound secure API integrations
Example names
-
server.crt -
server.key -
client-auth.pfx -
service-keystore.jks
In Secrets Manager or Config
Some applications load certificates at runtime from secret or config stores.
Example use cases
-
microservices
-
containerized apps
-
outbound client-auth integrations
-
automated batch jobs
Example names
-
PAYMENT_GATEWAY_CLIENT_CERT -
MTLS_CERT_PATH -
PARTNER_API_KEYSTORE
How to know what a certificate is doing
If it is attached to:
-
load balancer HTTPS listener
-
CDN custom domain
-
API custom domain
-
IIS HTTPS binding
then it is usually being used as a server certificate.
If the application is configured with:
-
.pfx -
keystore
-
thumbprint
-
ClientCertificates -
X509Certificate2
then it may be used as a client certificate.
Important note
A certificate may contain both:
-
Server Authentication
-
Client Authentication
But that does not mean both are actually used.
The real question is:
Is the certificate being used only for server TLS, or also for client authentication?
Quick examples
Example 1: Public website
-
portal.company.com -
certificate attached to load balancer
-
users access over HTTPS
Result:
server TLS only
Example 2: Internal portal
-
admin.internal.company.com -
certificate installed in IIS
-
client certificates not required
Result:
server TLS only
Example 3: Secure partner integration
-
order service calls partner API
-
app loads
partner-client.pfx -
cert attached to outbound HTTPS client
Result:
client certificate usage
Example 4: B2B mutual TLS
-
partner-gateway.vendor.com -
both systems exchange and validate certificates
Result:
mTLS
Final takeaway
Certificates can be installed on load balancers, CDNs, API gateways, servers, applications, secret stores, or appliances. Their role depends on who presents the certificate and where TLS terminates.
In short:
-
server presents certificate → server TLS
-
client presents certificate → client authentication
-
both present certificates → mTLS
No comments:
Post a Comment