diff --git a/common/thorhelper/thorsoapcall.cpp b/common/thorhelper/thorsoapcall.cpp
index 6fe8f4c8bd6..51ca07f8485 100644
--- a/common/thorhelper/thorsoapcall.cpp
+++ b/common/thorhelper/thorsoapcall.cpp
@@ -1305,7 +1305,7 @@ class CWSCHelper : implements IWSCHelper, public CInterface
         {
             if (clientCert != NULL)
             {
-                Owned<IPropertyTree> config = createSecureSocketConfig(clientCert->certificate, clientCert->privateKey, clientCert->passphrase);
+                Owned<IPropertyTree> config = createSecureSocketConfig(clientCert->certificate, clientCert->privateKey, clientCert->passphrase, true);
                 ownedSC.setown(createSecureSocketContextEx2(config, ClientSocket));
             }
             else if (clientCertIssuer.length())
diff --git a/esp/services/ws_ecl/ws_ecl_service.cpp b/esp/services/ws_ecl/ws_ecl_service.cpp
index 444f89c27e1..0c330e61cc8 100644
--- a/esp/services/ws_ecl/ws_ecl_service.cpp
+++ b/esp/services/ws_ecl/ws_ecl_service.cpp
@@ -271,7 +271,7 @@ void initBareMetalRoxieTargets(MapStringToMyClass<ISmartSocketFactory> &connMap,
                 includeTargetInURL = pc->getPropBool("@includeTargetInURL", true);
                 dnsInterval = (unsigned) pc->getPropInt("@dnsInterval", -1);
                 if (pc->getPropBool("@tls", false))
-                    tlsConfig.setown(createSecureSocketConfig(nullptr, nullptr, nullptr));
+                    tlsConfig.setown(createSecureSocketConfig(nullptr, nullptr, nullptr, true));
             }
         }
         StringBuffer list;
@@ -299,7 +299,7 @@ void initBareMetalRoxieTargets(MapStringToMyClass<ISmartSocketFactory> &connMap,
                     farmerPort = port;
                     const char *protocol = farmer.queryProp("@protocol");
                     if (protocol && streq(protocol, "ssl"))
-                        tlsConfig.setown(createSecureSocketConfig(farmer.queryProp("@certificateFileName"), farmer.queryProp("@privateKeyFileName"), nullptr));
+                        tlsConfig.setown(createSecureSocketConfig(farmer.queryProp("@certificateFileName"), farmer.queryProp("@privateKeyFileName"), nullptr, true));
                     break; //use the first one without port==0
                 }
                 Owned<IPropertyTreeIterator> servers = roxieCluster->getElements("RoxieServerProcess");
diff --git a/esp/smc/SMCLib/TpWrapper.cpp b/esp/smc/SMCLib/TpWrapper.cpp
index 1ad7022709d..05ab0c82c34 100644
--- a/esp/smc/SMCLib/TpWrapper.cpp
+++ b/esp/smc/SMCLib/TpWrapper.cpp
@@ -2144,7 +2144,7 @@ extern TPWRAPPER_API void initBareMetalRoxieTargets(MapStringToMyClass<ISmartSoc
                 if (!isEmptyString(protocol) && strieq(protocol, "ssl"))
                 {
                     port.set(farmPort);
-                    tlsConfig.setown(createSecureSocketConfig(farm.queryProp("@certificateFileName"), farm.queryProp("@privateKeyFileName"), nullptr));
+                    tlsConfig.setown(createSecureSocketConfig(farm.queryProp("@certificateFileName"), farm.queryProp("@privateKeyFileName"), nullptr, true));
                     break;
                 }
                 else if (isEmptyString(port.str()))
diff --git a/fs/dafsclient/rmtclient.cpp b/fs/dafsclient/rmtclient.cpp
index 5c9dffb784c..8274df03fe9 100644
--- a/fs/dafsclient/rmtclient.cpp
+++ b/fs/dafsclient/rmtclient.cpp
@@ -115,7 +115,7 @@ static class _securitySettingsClient
     const IPropertyTree * getSecureConfig()
     {
         //Later: return a synced tree...
-        return createSecureSocketConfig(queryCertificate(), queryPrivateKey(), queryPassPhrase());
+        return createSecureSocketConfig(queryCertificate(), queryPrivateKey(), queryPassPhrase(), false);
     }
 
 protected:
diff --git a/fs/dafsserver/dafsserver.cpp b/fs/dafsserver/dafsserver.cpp
index 408b253a172..fc73503d079 100644
--- a/fs/dafsserver/dafsserver.cpp
+++ b/fs/dafsserver/dafsserver.cpp
@@ -116,7 +116,7 @@ static class _securitySettingsServer
     const IPropertyTree * getSecureConfig()
     {
         //Later: return a synced tree...
-        return createSecureSocketConfig(certificate, privateKey, passPhrase);
+        return createSecureSocketConfig(certificate, privateKey, passPhrase, false);
     }
 
 } securitySettings;
diff --git a/roxie/ccd/ccdmain.cpp b/roxie/ccd/ccdmain.cpp
index 580d2c22413..d86e3e0a410 100644
--- a/roxie/ccd/ccdmain.cpp
+++ b/roxie/ccd/ccdmain.cpp
@@ -1622,7 +1622,7 @@ int CCD_API roxie_main(int argc, const char *argv[], const char * defaultYaml)
                                 if (!checkFileExists(keyFileName.str()))
                                     throw MakeStringException(ROXIE_FILE_ERROR, "Roxie SSL Farm Listener on port %d missing privateKeyFile (%s)", port, keyFileName.str());
 
-                                Owned<IPropertyTree> staticConfig = createSecureSocketConfig(certFileName, keyFileName, passPhraseStr);
+                                Owned<IPropertyTree> staticConfig = createSecureSocketConfig(certFileName, keyFileName, passPhraseStr, false);
                                 tlsConfig.setown(createSyncedPropertyTree(staticConfig));
                             }
                             else
diff --git a/roxie/roxiepipe/roxiepipe.cpp b/roxie/roxiepipe/roxiepipe.cpp
index 5599cbd2df4..7dd068d552d 100644
--- a/roxie/roxiepipe/roxiepipe.cpp
+++ b/roxie/roxiepipe/roxiepipe.cpp
@@ -677,7 +677,7 @@ int main(int argc, char *argv[])
             {
 #ifdef _USE_OPENSSL
                 if (useSSL)
-                    smartSocketFactory = createSecureSmartSocketFactory(hosts.str(), createSecureSocketConfig(nullptr, nullptr, nullptr), retryMode);
+                    smartSocketFactory = createSecureSmartSocketFactory(hosts.str(), createSecureSocketConfig(nullptr, nullptr, nullptr, true), retryMode);
                 else
 #endif
                     smartSocketFactory = createSmartSocketFactory(hosts.str(), retryMode);
diff --git a/system/security/securesocket/securesocket.cpp b/system/security/securesocket/securesocket.cpp
index 4c6e8b10a35..616203b62fb 100644
--- a/system/security/securesocket/securesocket.cpp
+++ b/system/security/securesocket/securesocket.cpp
@@ -2051,10 +2051,13 @@ SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const
     return createSecureSocketContextSynced(info, ServerSocket);
 }
 
-IPropertyTree * createSecureSocketConfig(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase)
+IPropertyTree * createSecureSocketConfig(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase, bool createIfAllNull)
 {
-    if (!certFileOrBuf && !privKeyFileOrBuf && !passphrase)
-        return nullptr;
+    if (!createIfAllNull)
+    {
+        if (!certFileOrBuf && !privKeyFileOrBuf && !passphrase)
+            return nullptr;
+    }
 
     Owned<IPropertyTree> config = createPTree("ssl");
     if (certFileOrBuf)
diff --git a/system/security/securesocket/securesocket.hpp b/system/security/securesocket/securesocket.hpp
index 1dac6af9c27..415040e2a3e 100644
--- a/system/security/securesocket/securesocket.hpp
+++ b/system/security/securesocket/securesocket.hpp
@@ -95,7 +95,7 @@ SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSSF(ISmartSocketFactory* ssf);
 
 //Helper function to aid migration to the functions above.  This should eventually be removed.
-SECURESOCKET_API IPropertyTree * createSecureSocketConfig(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase);
+SECURESOCKET_API IPropertyTree * createSecureSocketConfig(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase, bool createIfAllNull);
 
 //Legacy factory methods - should be phased out.
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContext(SecureSocketType);