What kind of certificate should I get If I want to secure a connection between a web server and a database?

It is important to understand that certificates provide integrity and encryption provides confidentiality. In other words; the certificate makes sure that you are talking to who you think you are (if part of chain of trust), but it does not encrypt your connection. However integrity and confidentiality nearly always go hand-in-hand, which is why the public key of a client is contained within its certificate. Once the identity of the asset serving the certificate is verified, its public key can be used to encrypt the connection and negotiate further encryption details.

In theory it would suffice to simply generate a keypair on both the database server and application server, and use those to configure the encryption between the two. The fact is that many systems require certificates to encrypt the connection, so as said, also the identity of the other side of the connection can be verified. Since your application is not publicly facing, the certificate does not need to be signed by a CA. You would just need to generate a keypair, create a CSR out of it, and consequently self-sign it. No money has to be spent here.

You can use these self-signed certificates to configure the encryption between the database and your application.


encrypt a connection between an application server and a database

I think you should just establish an IPSEC tunnel between the database server and app server. This will provide you both confidentiality and integrity. (ESP + AH)

Configuration Reference