Client Authentication Extended Key Usage (EKU) Deprecation

Due to updates in industry requirements, major Certificate Authorities including Sectigo and Trustico® have announced the deprecation of the Client Authentication Extended Key Usage (EKU) from publicly trusted SSL Certificates.

This change aligns with broader trends in the Certificate Authority ecosystem, as Certificate Authorities move to implement the same industry standards.

What Is Client Authentication EKU?

The Client Authentication Extended Key Usage (EKU) is an extension in SSL Certificates that enables their use in authenticating users or devices to servers, commonly in mutual TLS (mTLS) or server-to-server authentication scenarios.

Traditionally, some SSL Certificates included this EKU by default, allowing for both website security and client authentication in a single SSL Certificate.

Timeline for Deprecation

The deprecation will occur in two phases to ensure a smooth transition for all users. On September 15, 2025, Certificate Authorities will stop including the Client Authentication EKU by default in newly issued SSL Certificates.

Following this initial phase, by May 15, 2026, the Client Authentication EKU will be permanently removed from all newly issued SSL Certificates, with no exceptions.

Why Is This Change Happening?

This update is part of a broader shift in industry standards and best practices. Major browser root programs, such as Google Chrome root program policy, now require Certificate Authorities to limit the use of Extended Key Usages (EKUs) in publicly trusted SSL Certificates.

These SSL Certificates are designed specifically for securing connections between browsers and web servers. Historically, including the Client Authentication EKU in server SSL Certificates has introduced potential security and operational concerns.

By removing the Client Authentication EKU, Certificate Authorities including Trustico® are aligning with new requirements to ensure SSL Certificates are used strictly for their intended purposes, reducing the risk of misuse or misconfiguration.

Effects on Server Environments

For most users, the deprecation of the client authentication EKU from SSL Certificates will have minimal to no impact. Existing SSL Certificates issued before the cutoff date will remain valid and continue to function as expected until their expiration.

Standard web servers using HTTPS will not be affected by this change, and both current and renewed SSL Certificates issued after the cutoff will continue to operate normally for typical server authentication purposes.

However, if your environment uses mutual TLS (mTLS), server-to-server authentication, or relies on mTLS server SSL Certificates for client authentication, you will need to obtain a separate SSL Certificate or solution that includes the clientAuth EKU.

Additionally, some legacy or enterprise systems may expect both the serverAuth and clientAuth EKUs to be present. To ensure compatibility with the latest industry standards, it is important to verify whether your systems require updates to accommodate this change.

How to Prepare for This Change

To prepare for upcoming changes, the best course of action is to review all SSL Certificates currently in use to verify whether they include the clientAuth Extended Key Usage (EKU) attribute.

Assess your systems to determine if any rely on SSL Certificates for both server and client authentication purposes. Keep in mind that future SSL Certificates will, by default, be issued without the clientAuth EKU, so it is important to plan accordingly for upcoming renewals or reissues.

If you wish to proactively update your SSL Certificates, you may choose to reissue them before the enforcement deadline. Additionally, review and update any automated SSL Certificate request scripts or internal documentation that previously assumed the presence of both EKUs.

If you need assistance with your SSL Certificates or have questions about these changes, please contact Trustico® for further support and guidance through this transition.

What is mTLS?

mTLS, also known as mutual Transport Layer Security, is a method for mutual authentication using security protocol that ensures both the client and the server verify each other identities using Digital Certificates before establishing a secure, encrypted connection.

Unlike standard TLS, which only authenticates the server, mTLS requires both parties to present and validate SSL Certificates, providing an extra layer of trust and security for sensitive communications.

What is TLS?

TLS, or Transport Layer Security, is a widely used encryption protocol that encrypts data sent over the internet to ensure privacy and data integrity between two communicating applications, such as a web browser and a server.

TLS helps protect sensitive information, like passwords and credit card numbers, from being intercepted or tampered with by unauthorized parties during transmission. It is the successor to SSL (Secure Sockets Layer) and is commonly used to secure websites, as indicated by the "https" in web addresses.

Does This Impact S/MIME or Code Signing Certificates?

S/MIME and Code Signing Certificates have their own specific Extended Key Usage (EKU) requirements that are separate from those of TLS server SSL Certificates. As a result, these Certificate types will not be affected by this change.

What Are the Key Deadlines?

September 15, 2025 marks when Certificate Authorities will stop including the Client Authentication EKU by default in newly issued SSL Certificates.

By May 15, 2026, the Client Authentication EKU will be permanently removed from all newly issued SSL Certificates, with no exceptions.

What Is Client Authentication EKU?

The Client Authentication Extended Key Usage (EKU) is an extension in SSL Certificates that allows them to authenticate users or devices, typically in mutual TLS (mTLS) or server-to-server scenarios.

Some SSL Certificates have traditionally included this EKU by default, enabling both website security and client authentication.

How Does This Impact My Environment?

For most users, removing the client authentication EKU from SSL Certificates will have no impact. Existing SSL Certificates remain valid, and standard HTTPS servers will continue to operate normally.

Only environments requiring mutual TLS, client authentication, or legacy systems expecting both EKUs will need to obtain a separate solution or update their systems.

How Should I Prepare for This Change?

To prepare for these changes, review your current SSL Certificates to check for the clientAuth EKU and identify any systems that require both server and client authentication.

Since future SSL Certificates will not include the clientAuth EKU by default, plan for renewals or reissues as needed. Consider reissuing SSL Certificates proactively and update any automated processes or documentation that assume both EKUs are present.

Is This Related to Shorter SSL Certificate Lifetimes?

This change is unrelated to the upcoming reduction in SSL Certificate lifetimes. It is a separate industry initiative focused on enhancing security by ensuring SSL Certificates are used strictly for their intended purposes, thereby reducing the risk of misuse or misconfiguration.

Will My Existing SSL Certificates Still Work?

Existing SSL Certificates issued before the cutoff will remain valid until expiration. Standard HTTPS web servers and newly issued SSL Certificates will continue to function normally for server authentication purposes.