An Https Certificate (a.k.a X509 certificate) is used to show others that you are really who you says you are.
In a https-based c/s communication, including b/s communication, in most of the cases only the server side has to show a certificate. The client doesn’t need one, otherwise it will be very inconvenient for clients.
When communicating, the client-side application such as a web browser will download the server-side certificate, verify its domain name against what is recorded in the certificate, then they can start transferring data.
But a server-side certificate itself can be fake. The client-side program needs to inquire a CA (Certificate Authority) to verify the server-side certificate’s authenticity that it is issued by a CA. This is done by using CA’s certificates(a.k.a Root Certificate).
So how to get the CA’s certificate? Web browsers have contained mainstream CAs’ certificates, such as VeriSign’s. So, everything is fine with Browsers and sites with CA-issued certificates.
However, it is not free to let a CA issue a certificate. Some websites may choose one of the 2 ways to avoid the cost by using an “invalid certificate”:
1. Use a self-signed server-side certificate
2. Be a CA myself and then issue server-side certificate, such as https://www.12306.cn/
In both of the cases the client will get a warning on browser. To avoid the warnings, you can “import” these “invalid certificates” to your browser. After importation the browser thinks you will always trust them.
We’ve talked about the case of browsers. What about other clients such as a Java desktop program or an Android APP which talks to https-based servers? They are about the same as browsers. Take Java for example. A JDK has been shipped with mainstream CA’s certificates. And you can import “invalid” certificates files to JDK, or do it at runtime with java security APIs. By the way, the importing is mandatory for Java programs. You will not get an warning but an Exception.
Finally, there are a few cases the client needs a certificate to prove himself, for example, when you are visiting an online bank system. Another example is RESTFul API calling between two companies who know each other. In this case, the server side program must explicitly point out it needs client-side authentication.