Free Trial
Contact Us
Notifications

Deprecation of client authentication EKU from Sectigo SSL/TLS certificates

Sectigo is removing the Client Authentication Extended Key Usage (EKU) from newly issued publicly trusted SSL/TLS certificates. This change aligns with updated industry requirements and best practices to enhance the security and purpose specificity of digital certificates.

March 20, 2025

Table of Contents

What is changing?

  1. Starting October 7, 2025, Sectigo will no longer include the Client Authentication EKU by default in newly issued SSL/TLS certificates.
  2. By May 15, 2026, Sectigo will permanently remove the Client Authentication EKU from all newly issued SSL/TLS certificates. After this date, no exceptions will be granted.

This update does not affect existing certificates already issued prior to these dates. They will remain valid until expiration or revocation.

Why is this change happening?

Major browser root programs, including Google Chrome, are requiring Certificate Authorities to limit the use of EKUs in publicly trusted SSL/TLS certificates to improve security and compliance. The inclusion of Client Authentication EKU in publicly trusted SSL/TLS certificates is being deprecated industry-wide to reinforce the separation of use cases between public and private certificates.

Who is impacted?

Organizations that use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication purposes.
If you use SSL/TLS certificates solely for securing websites (HTTPS), no action is required.

What action is required?

If your organization relies on SSL/TLS certificates for Client Authentication, you will need to transition to a Private PKI (Private CA) solution. Private CAs provide flexibility, control, and support for Client Authentication EKUs, ensuring your environment remains secure and compliant.

We encourage impacted organizations to review their current certificate usage and begin planning their migration well ahead of the deadlines.

Key dates

  1. October 7, 2025: Client Authentication EKU no longer included by default in newly issued SSL/TLS certificates
  2. May 15, 2026: Client Authentication EKU fully removed from all newly issued SSL/TLS certificates, with no exceptions

How Sectigo can help

Sectigo offers comprehensive Private PKI solutions that support Client Authentication and mTLS use cases. Our team is available to help you assess your current deployments and develop a tailored migration plan.

For additional guidance or to speak with a Sectigo expert, contact [email protected].

Learn more

For detailed information about this change and how it may impact your organization, visit our FAQ.