Re: But why is it so complicated?
The issue arises when you are developing and testing an application that will have to work in a much more complex and riskier environment. You have to check not only that it encrypts traffic somehow, but it has to be able to validate certificates, spot issue. and communicate errors properly so they can be fixed without long troubleshooting. The scenario is not as simple as some home APs.
For example an application we worked on a year ago had several clients communicating with servers over TLS (one channel were message queues, not only HTTPS), and a web interface accessible with HTTPS for management as well. Clients used certificates for authentication also. We had a CA, two intermediate CAs (one for the servers, the other for the clients), and all the required certificates with the proper settings - each certificate type was different.
Certificate revocation checks happened on both sides, and client certificates renewals had to be managed also. We couldn't ignore any warning or other issue.
We had to setup a whole test PKI, and been able to test what happened when something went wrong.
You need something to help you create and manage all that stuff.
Biting the hand that feeds IT
