Apologies for what might seem like a naive question, but there is a detail to PKI architecture between clients and servers, the answer to which I have so far not been able to come across no matter where I search.
Please indulge me in the following scenario so that there is no ambiguity to what I mean by "client."
Suppose company A has an application on its intranet. This app is hosted on a web server, which its ten employees access from their work stations. Company B has a web service that company A would like to consume. Company B's service, however, requires both server and client certificates. Therefore company A will need to present a client X509 certificate when when making the TLS connection.
So an employee at company A thus accesses company B's service by making a request from their personal client to company A's server, which then makes a request to company B's service.
Here's the confusion: Once A's server makes the request to B's service, A's server is now a client from the point of view of B. So the question is, where does company A store its client certificate to use B's service? On A's server, or is there a copy on each individual client workstation at A? If the former, is it stored on A's web server or domain controller? If the latter, does each individual workstation download a copy from A's server?
I've seen a bit of X509 used in back end code to make a call to a REST service out on the internet, so I'm assuming the answer is "Company A stores its client certificate on its server." Maybe that's obvious to most people, but as someone new to networking I feel it's a valid question to ask given the inherent ambiguity in functional terms like "client" and "server."
Also, company A may have server certificates it uses to authenticate clients from some company C. Are A's server certificates stored in the same place it stores its client certificates. Can they be the same certificate?
Thanks for any clarification.