Since October 2025 there has been a significant change in the SSL/TLS certificate industry: Public SSL/TLS certificates no longer contain the “Extended Key Usage (EKU) TLS Web Client Authentication (clientAuth / Client Authentication)” extension. This certificate extension made it possible to use a single SSL/TLS certificate for both server and client authentication in Mutual TLS (mTLS) scenarios.

Who is affected?

Most websites and users are not affected, as typically SSL/TLS certificates are only used for server authentication. However, organizations that use public SSL/TLS certificates for client authentication (e.g., mutual TLS or server-to-server authentication) will need to adapt.

The schedule

Support for client authentication for all certification authorities will end in May 2026. SSL certificates valid until May can continue to use clientAuth until the deadline. Renewals and reissues until May are currently only issued with server authentication EKU by default. Until May 2026, client authentication can continue to be used via workarounds. However, this support will also be discontinued from May.

What does this mean for you?

For most companies, the change will have little or no impact if they do not use their public SSL/TLS certificates for client authentication. However, if they do so, they must plan for the transition before the deadline in June 2026.

Our recommendation:

  • Check whether you are using SSL certificates that use client authentication!
  • Contact the manufacturer of the application for which you are using these certificates and check the exact requirements and possible solutions!

Depending on the application scenario, the following options are available:

  • S/MIME certificates: Switch to publicly trusted S/MIME certificates with Client Authentication EKU. These are specially designed for individual authentication (e.g., for document-related or email scenarios).
  • Self-signed certificates: Use self-signed certificates with Client Authentication EKU – but only for internal scenarios, as these are not automatically trusted from outside
  • Use of private CA-based client authentication for internal scenarios

Ressources:

https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates

https://www.sectigo.com/faq-client-authentication-eku-deprecation