Can I use the same SSL/TLS certificate as both a "server" and "client"?

Chris Sun asked:

I have a proxy server. Clients connect to it over HTTPS, so it needs a server certificate. The proxy server also makes outgoing requests to other backend servers. One of those backend servers requires mutual TLS, so I also need a “client” certificate.

It is ok to use one certificate for both cases? Is this a common practice or do most choose to use 2 separate certificates?

My answer:

It could be done, but you probably don’t want to.

It’s technically possible for a TLS certificate to be used as both a server certificate and a client certificate. The TLS certificate for this very site has its key usage set that way, for instance.

Certificate for *

But the server which requires a client certificate does so to authenticate the client. So it will want a specific certificate signed by a specific certificate authority. The TLS certificate you use for an Internet-facing server is probably not what you want in this case, as that server would find it much more difficult to limit which client certificates it accepted.

The server administrator of that backend server can issue the proper client certificate, or point you to the certificate authority who can.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.