This key is generated by the server when a new User is created.
A person needs this key to authenticate against a Chef Server when doing things with knife or other possible client programs.
This key is generated during the creation of an organization on a Chef Server, or during bootstrap of the entire system on open source chef.
The most important use for a validator client is as a proxy during node/client creation.
The validator client is already trusted by the Chef Server and the chef-client uses it to generate a public/private keypair specifically for a given chef-client. The default name of the Validator Client is "ORGNAME-validator" on Chef Server 12. The default name on open source chef 11 is "chef-validator"
The private key generated using the validator client by the chef-client during initial registration with a Chef Server. Once the custom client has been created, the validator client can be removed from the managed node, as the custom client will be used for all subsequent operations. The default custom client name is the hostname of the system for which it has been generated.
Client == Public/Private Key pair
Further information on keys. https://docs.chef.io/chef_private_keys.html
Further information on Authentication with a Chef Server. https://docs.chef.io/auth.html
Validator and client.pem specifically - http://docs.chef.io/chef_client.html#chef-validator
The important parts of knife.rb or client.rb are these http://docs.chef.io/config_rb_knife.html
node_name - An overloaded term which either means "The user using knife", or "The hostname of the node running a chef-client". This name must match the username or node_name used with knife or chef-client, respectively
client_key - Location of the client key on your workstation/managed node. By default when using knife ".chef/USERNAME.pem" under the current directory, and when running a chef-client, "/etc/chef/client.pem".
validation_client_name - Name of the validator client. By default "ORGNAME-validator"
validation_key - Location of the validator key on disk. By default .chef/ under the current directory or /etc/chef/validation.pem when using knife or chef-client respectively.