I'm working on a system where multiple servers can have trust relationships with each other. These relationships are established with server-to-server connections using X.509 certificate authentication.
Servers have their own server certificates that clients use to validate the server's identity (exactly the same as browser clients and web servers).
My question: When establishing trust relationships between two servers (A and B), is there anything inherently insecure or problematic with using server A's server certificate as a client identity when server A communicates with server B? In practice, this involves installing server A's server cert into server B's trust store, and vice versa. Is it better for some reason to create a separate client-side identity for servers A and B, rather than use their server identities as their client identities?
Personally, I can't see anything wrong with it and it actually makes sense from a high-level perspective - server A is after all the client that's connecting to server B.
When establishing trust relationships between two servers (A and B), is there anything inherently insecure or problematic with using server A's server certificate as a client identity when server A communicates with server B?
no, it is ok as long as peers can authenticate each other.
In practice, this involves installing server A's server cert into server B's trust store, and vice versa.
in practice, certificates shall be installed from a centralized CA. Either, public/commercial o internal. Avoid self-signed certificates for end entities. Self-signed certificates raises cert management overhead and do not allow revocation checking (in the case if peer certificate needs to be revoked).