Does SSL require a client side certificate of any kind at all?

The typical case of certificates issued by a trusted party (Let's Encrypt etc)

Server certificates are essential because the client needs to verify that it speaks with the expected server in order to detect man in the middle attacks. To authenticate itself against a client the server needs for this the certificate itself which is public and the private key matching the certificate which is only known to the server. To accept a server provided certificate as trusted the client will then among other things check if this certificate was issued by a trusted party, i.e. a trusted CA (CA meaning certificate authority, i.e. the entity which issues certificates). These trusted CA are stored as certificates in the trust store of the clients operating system or browser. These are the kind of certificates needed on the client side.

And then there are client certificates which are used to authenticate the client against the server. These are optional and used only rarely. If these are used the client not only needs the (public) certificate itself but also the matching secret private key, similar to what the server needs to authenticate itself against the client.

The uncommon case of self-signed server certificates

In this case the server sends a certificate which is not issued by a CA known to the browser (or app or other client). In this case no certificate is involved at the client side but the client needs to find another way to check if the certificate is the expected one. Typically the browser asks the user to add an exception in this case.

The even more uncommon case of no certificates at all

SSL/TLS can also be used without certificates at all, i.e. not even at the server side. In this case authentication is done with other methods, like a secret key pre-shared between client and server (PSK). These methods are rarely used and browsers don't support these.


Your friend is correct. The browser has to have the root certification authority certificate, so that it can verify that the server certificate has been signed by a legitimate certification authority.