Creating Client certificate for mutual TLS authentication
I have an application that is installed at customer premises. This sometimes has to communicates with their server(PACS server), and the details are configured in our application. I have to enable TLS for secure communication between these two entities.
Our application can be configured to communicate with multiple servers in customer premises. We ship our application to multiple customers.
The question I have is: Who will issue the client certificate?
Should I ask the customer to generate a client certificate so that this can be presented to their server for authentication? This means if i have mutiple servers configured, i'll have multiple client certificates.
Should I generate a self-signed certificate and provide them root certificate so that they can install it in their trusted root certificate store? This way I will have only one certificate to deal with which will be shipped to all customers. The same certificate will be presented to different servers in each customer premise.
Should I generate a client certificate and get it signed by 3rd party CA?
If I go for last 2 options, I feel that I may run into a problem with domain name configured in client certificate. We ship industrial PC (windows 10 and our application burned into a CD).
Can we create a single certificate and ship it to multiple customers, and use to it communicate with different servers? AFAIK, if the root certificate/CA certificate that is used to sign client certificate is in the server's trusted root certificate store, client should be validated.
What would be the best approach I can take?
