SSL/TLS certificates solve different problems:
Source identity verification
When we log in to a critical site on the internet or when we call an API we want to make sure that we’re actually communicating, sending credentials or confidential information to that site or API.We need some sort of validation of the identity we’re connecting to. The last thing we want is to access a fake website or API using a similar look and feel or the same domain name as your bank, for instance.
Certificates help you verify the identity of the server and make sure it is genuine and valid. The server provides a digital signature that can be verified by the browser or API client. The signature is a proof of identity. It’s like our passport - it’s a document that we can provide to another person to validate it is us, and the other person can verify that because the passport has been issued by a government.
Confidentiality and Integrity
During the communication with the server or API, we’ll be sending confidential information. It can be company’s data or PII. With certificates all this data will be encrypted using the secret key only known by the client and the server. This prevents Man-in-the-middle attacks (MITM)Mutual Authentication
The same way we use certificates to verify the identity of a server or an API, the server or API can also use certificates to validate the identity of the clients connecting to them. That’s what we call mutual authentication or mutual TLS. Client certificates are less common but they are a really good option in some cases. A good example could be mutual authentication between Salesforce and an experience API.Non-repudiation
Non-repudiation means that you cannot deny an action because a system provides proof of it.During the SSL communication, once the client verifies the identity of the server, the server is then authenticated and all communication is definitely coming from it and cannot be repudiated.