any user should be able to use this certificate when starting a HTTPS request from such a computer. Note: The question applies to computer certificates, not to user certificates. Which clients are part of this set should somehow be administered in AD, e.g. I'm using X.509 client certificates to authenticate a set of Windows clients via mutual TLS.