Does TLS client ever require a certificate installation?

Question

In a TLS communication I always thought the server would send the public certificate to the client during the handshake process.

However, I received a request from a provider asking us to manually install a certificate in order to initiate a TLS communication with one of their STunnel server.

I'm a bit confuse by this request. Is there's a situation where TLS server would not be able to send the certificate to the client and therefore required a manuel certificate installation?

Answer 1

There are two cases where a certificate installation is needed on the client side:

• The server is using a certificate not issued by a public CA, i.e. self-signed or issued by a private CA. In this case the client must import the certificate or CA up front and install it as trusted.
• The server is requiring client authentication based on certificates, i.e. not only the server authenticates to the client with a certificate but also the client to the server (instead or additionally to typical passwords). In this case the client has to get a client certificate and matching key and import so that it can be used for authentication.

It is unclear which of these cases is the one you are dealing with.