Windows certificate templates: how to include group (or OU) claims in SSL/TLS client certiifcates

Solution 1:

The answer is no. Group membership is rather dynamic property, not static and not part of certificate holder's identity. As the result, you cannot include group membership into a certificate, because this information doesn't belong to identity. And every time group membership is changed, you have to reissue certificate. Certificates are valid for quite long period. This is a very flawed solution.

I.e. any user should be able to use this certificate when starting a HTTPS request from such a computer

this will work only when TLS request is sent from an application that runs under local system or network service account. If you want to use such certificates, you have to explicitly configure TLS client to use non-default client certificate via source code, for example.

Servers are Linux-based containers and not part of the AD/domain

interesting, how Linux-based servers are supposed to validate actual group membership?

Client certificate in mutual TLS is authentication method. Fields in certificate are mapped to account information servers must be connected to.

Since your Linux servers aren't part of any AD, then they cannot bind client certificate to AD user account and validate group membership. Servers even cannot tell if such group really exist. There must be a separate identity database available to Linux servers and Linux servers must somehow bind client certificate to identity in that separate identity database. And only information available in this separate identity database shall be used for client authorization.

This means that your requirements:

Group membership for computers should be administered in AD.

and

Servers are Linux-based containers and not part of the AD/domain

are mutually exclusive and cannot be used together. Either, make Linux server AD-aware or include in certificates information about identity which is available to Linux servers. And I would strongly avoid group membership inclusion in certificates. Group membership should be used in short-lived tokens, not in long-lived certificates.