Starting October 14, 2025, newly issued, renewed, or reissued SSL/TLS certificates will no longer include the Client Authentication EKU (id-kp-clientAuth).
This industry-wide change, led by Google Chrome and soon to be adopted by other major browsers, reinforces best practices to ensure certificates are used solely for their primary purpose — securing HTTPS connections.
What This Means for You
-
No action required if certificates are used only for website encryption (HTTPS).
-
If certificates are used for mutual authentication, mTLS, or server-to-server identification, please review your setup as these use cases may be affected.
Key Dates
-
October 14, 2025: All new, renewed, and reissued SSL/TLS certificates will exclude the Client Authentication EKU.
-
May 15, 2026: The policy becomes mandatory — no exceptions after this date.
Recommended Actions
-
Inform your customers about this upcoming change.
-
For client authentication requirements, consider migrating to a Private CA solution.