{"id":124,"date":"2025-10-11T17:05:37","date_gmt":"2025-10-11T09:05:37","guid":{"rendered":"https:\/\/www.sslcert.com.hk\/blog\/?p=124"},"modified":"2025-10-11T17:44:14","modified_gmt":"2025-10-11T09:44:14","slug":"important-industry-update-deprecation-of-client-authentication-eku-in-ssl-tls-certificates","status":"publish","type":"post","link":"https:\/\/www.sslcert.com.hk\/blog\/en\/2025\/10\/11\/important-industry-update-deprecation-of-client-authentication-eku-in-ssl-tls-certificates\/","title":{"rendered":"Important Industry Update: Deprecation of Client Authentication EKU in SSL\/TLS Certificates"},"content":{"rendered":"

\u00a0<\/p>\n

Starting October 14, 2025<\/strong>, newly issued, renewed, or reissued SSL\/TLS certificates will no longer include the Client Authentication EKU (id-kp-clientAuth)<\/strong>.
This industry-wide change, led by Google Chrome<\/strong> and soon to be adopted by other major browsers, reinforces best practices to ensure certificates are used solely for their primary purpose \u2014 securing HTTPS<\/strong> connections.<\/p>\n

What This Means for You<\/h4>\n
    \n
  • \n

    No action required<\/strong> if certificates are used only for website encryption (HTTPS).<\/p>\n<\/li>\n

  • \n

    If certificates are used for mutual authentication<\/strong>, mTLS<\/strong>, or server-to-server identification<\/strong>, please review your setup as these use cases may be affected.<\/p>\n<\/li>\n<\/ul>\n

    Key Dates<\/h4>\n
      \n
    • \n

      October 14, 2025:<\/strong> All new, renewed, and reissued SSL\/TLS certificates will exclude the Client Authentication EKU.<\/p>\n<\/li>\n

    • \n

      May 15, 2026:<\/strong> The policy becomes mandatory \u2014 no exceptions after this date.<\/p>\n<\/li>\n<\/ul>\n

      Recommended Actions<\/h4>\n
        \n
      • \n

        Inform your customers about this upcoming change.<\/p>\n<\/li>\n

      • \n

        For client authentication requirements, consider migrating to a Private CA<\/strong> solution.<\/p>\n<\/li>\n<\/ul>\n

        \u00a0<\/p>","protected":false},"excerpt":{"rendered":"

        \u00a0 Starting October 14, 2025, newly issued, renewed, or reissued SSL\/TLS certificates will no longer include the Client Authentication EKU<\/p>\n","protected":false},"author":1,"featured_media":126,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[6,48],"_links":{"self":[{"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/posts\/124"}],"collection":[{"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":0,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/media\/126"}],"wp:attachment":[{"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sslcert.com.hk\/blog\/en\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}