Moreover, we do not want such a web service to be bound to a host: there must be redundancy, so the application must run on multiple hosts. But they all have to support that one certificate issued to identify and authenticate that service.
One solution is to put a reverse HTTP proxy in front of all the application hosts, such as a Load Balancer. The URI for the web service then leads through DNS to a Virtual IP Address on that proxy. The private key for the certificate issued for that URI lives there, and HTTPS is terminated there. The Load Balancer then distributes the traffic destined for the web service over the backend hosts on which instances of the application run.
But sometimes one does not want security termination on a front-end proxy, but the Security office requires that this only happens on the application hosts themselves. One can then also secure the connections between the Load Balancer and the backend web servers with HTTPS: the web servers use host-specific certificates in that case.