There are two places which are distinctly separate which have the possibility of a certificate, one compulsory and one optional:

1. Compulsory: Secure Migration Agent Communication, this is a certificate which is you generate in PowerSyncPro Migration Agent Server configuration which supersedes the PreSharedKey (PSK) when the device is registered, the certificate is used to encrypt the traffic over port 5000 (or any other port) between the server and the device. This configuration has no impact on the dirsync side of the tool. 
    
2. Optional: You have the option of configuring the IIS server with a public or internal certificate so that all communication can use HTTPS rather than HTTP. When you perform this, all access to the PowerSyncPro server (including the URL used for the Migration Agent) needs to be updated to HTTPS

Furthermore, if you do use HTTPS for your communication to the PowerSyncPro server, we recommend configuring a reverse proxy as part of the PowerSyncPro installation. This will configure IIS to only allow the /agent URL for external hosts, which only the Migration Agent uses. This adds an extra layer of security so external consumers cannot access the logon screen to the PowerSyncPro server.

In Azure, you also have the option of configuring a Application Gateway in front of the PowerSyncPro Server too.

When you create the certificate in the Migration Agent configuration used for Migration Agent Communication, this is never used for IIS or HTTPS communication.