A very ignorant question, sans doute.
I get my certificates from cacert.org, to whom I am very grateful. I follow what I take to be the official procedure, first creating .key and .csr on my server and then getting .crt by going to Server Certificate=>New at the cacert site.
I then place the key certficate *.key in /etc/pki/tls/private/
and what I call the client certificate *.crt in /etc/pki/tls/certs/ .
But I notice that there at www.cacert.org there is a Client Certificate folder as well as the Server Certificate folder, and it seems that one can create a “client certificate” there.
My quesion is: what is the purpose of this second client certificate?
And while I am on the topic, what are the recommended file permissions for PKI certificates?
I was a little surprised to find my .key has permission 640, while .crt has permission 644. The folder /etc/pki/tls/private/ on my server does not seem to have any special security;
it is owned by root but can be opened and listed by anybody. Is that the recommended setup?