none
Questions of SSL certificates at the client side RRS feed

  • Question

  • We have IBM Websphere web servers running on AIX. Currently the web servers have SSL server certs issued and signed by the internal domain CA, of course the AIX servers themselves aren't member of the domain.

    Windows 10 clients are connecting to the AIX servers through Internet Explorer 11, the website is simply to display the reports. All the clients are members of the internal domain.

    My question is on the client side certificate. Is there a need to have a client SSL certificate? My vulnerability scanning always flag out the vulnerabilities of SSL certificates on the clients (untrusted, weak, self-signed).

    Can I deploy client certificates through domain GPO even when the web servers are not member of the domain?


    Valuable skills are not learned, learned skills aren't valuable.

    Friday, March 22, 2019 5:48 AM

All replies

  • You could create Certificate Server and add your certificate there and it will be updated to connected domains. To use GPO, clients must be part of domain unless you deploy GPO locally on clients or manually import CA.
    Sunday, March 24, 2019 2:15 PM
  • Don't think this had answered the questions.

    1. The Web servers are running on AIX servers, using IBM WebSphere. Of course they are not member of domain.

    2. The clients are Windows 7, all are members of the domain which has an AD CA.

    3. The Web servers have the server certs issued and signed by the AD CA.

    4. Question 1: From domain clients to connect through SSL to non-domain web servers, do the clients need client SSL certs (as opposed to Server SSL certs)?

    5. Question 2: Can I deploy the client SSL certs through GPO even though the servers are not member of the domain?

    6. Question 3: If the client cert is deployed this way is the SSL client cert trusted by Domain CA?

    7. Question 4: Does it mean that if both the client SSL certs and the server SSL certs are signed by the Domain CA, both clients and servers certificates are trusted by Domain CA in this situation (that the Vulnerability scanner saying the certs are not trusted are not true)?


    Valuable skills are not learned, learned skills aren't valuable.


    • Edited by SingChung Monday, March 25, 2019 12:13 AM
    Sunday, March 24, 2019 3:13 PM
  • Hi,

    You can refer to the link below:

    Distribute Certificates to Client Computers by Using Group Policy

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

    “Membership in Domain Admins or Enterprise Admins, or equivalent, in Active Directory Domain Services (AD DS) is the minimum required to complete this procedure. “

    To better answer your questions, you’d better submit case at Windows Server >Directory Services.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 26, 2019 6:31 AM
    Moderator
  • This still not answering the questions.

    I know how to distribute certificates through Group Policy.

    Questions are about certificates requirements for domain member access to web server on AIX, not about directory services.

    Is there a forum dedicated to certificate services or cryptography?


    Valuable skills are not learned, learned skills aren't valuable.

    Wednesday, March 27, 2019 7:46 AM
  • Hi,

    There isn’t a forum dedicated to certificate services/cryptography. You may contact AIX Forum support.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 2, 2019 2:54 AM
    Moderator