Free Trial
Contact Us
Notifications

Deprecation of client authentication EKU from Sectigo SSL/TLS certificates

Sectigo is removing the Client Authentication Extended Key Usage (EKU) from newly issued publicly trusted SSL/TLS certificates. This change aligns with updated industry requirements and best practices to enhance the security and purpose specificity of digital certificates.

April 20, 20262 min read

Table of Contents

What is changing?

  1. Starting October 7, 2025, Sectigo will no longer include the Client Authentication EKU by default in newly issued SSL/TLS certificates.
  2. Effective February 10, 2027, Sectigo will no longer include the Client Authentication EKU in any SSL/TLS certificates. This is a hard deadline, with no exceptions.

This update does not affect existing certificates already issued prior to these dates. They will remain valid until expiration or revocation. 

Why is this change happening?

Google Chrome has updated its enforcement timeline for the deprecation of the Client Authentication (clientAuth) Extended Key Usage (EKU) in publicly trusted TLS server certificates. In alignment with this change, Sectigo is extending its own hard deadline for the complete removal of client authentication.

Who is impacted?

Organizations that use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication purposes.
If you use SSL/TLS certificates solely for securing websites (HTTPS), no action is required.

What action is required?

If your organization relies on SSL/TLS certificates for Client Authentication, you will need to transition to a Private PKI (Private CA) solution. Private CAs provide flexibility, control, and support for Client Authentication EKUs, ensuring your environment remains secure and compliant.

We encourage impacted organizations to review their current certificate usage and begin planning their migration well ahead of the deadlines.

Key dates

  1. October 7, 2025: Client Authentication EKU no longer included by default in newly issued SSL/TLS certificates
  2. February 10, 2027: Sectigo will no longer include the Client Authentication EKU in any SSL/TLS certificates. This is a hard deadline, with no exceptions.

How Sectigo can help

Sectigo offers comprehensive Private PKI solutions that support Client Authentication and mTLS use cases. Our team is available to help you assess your current deployments and develop a tailored migration plan.

For additional guidance or to speak with a Sectigo expert, contact [email protected].

Learn more

For detailed information about this change and how it may impact your organization, visit our FAQ.