Deprecation of Client Authentication EKU from Sectigo SSL/TLS Certificates
Q&A
mTLS, also known as Mutual TLS or server-to-server authentication is a type of authentication that ensures both the client and server authenticate each other using digital certificates. Historically, TLS certificates have been used for both the client authentication as well server authentication, a practice that is being deprecated.
Sectigo will no longer include the Client Authentication Extended Key Usage (EKU) in newly issued publicly trusted SSL/TLS certificates.
Effective April 07, 2025, the Client Authentication EKU will no longer be included in the eIDAS QWAC certificates. No exceptions will be granted after this date. Other certificates of SSL/TLS type will remain unaffected at this point.
Effective September 15, 2025, the Client Authentication EKU will no longer be included by default.
Effective May 15, 2026, the Client Authentication EKU will be permanently removed from all newly issued SSL/TLS certificates. No exceptions will be granted after this date.
The phased approach is designed to give organizations time to assess their use cases, plan their migration, and implement alternative solutions like Private PKI for Client Authentication use cases.
- The September 15, 2025 deadline provides an initial transition period, where most new certificates will not include the Client Authentication EKU by default. Exceptions to this deadline can be made by Sectigo on a case by case basis.
- The May 15, 2026 hard deadline marks the final cutoff, after which no new SSL/TLS certificates issued by Sectigo will include the Client Authentication EKU under any circumstances.
This timeline aligns with industry requirements and Sectigo’s commitment to helping customers make a smooth transition without service disruption.
An earlier enforcement date for eIDAS QWAC certificates derives from the request of the majority of our European customers who are using platforms like Chorus Pro in EDI mode, which already require the removal of Client Authentication EKU.
The Client Authentication EKU is an extension within a digital certificate that allows it to be used for authenticating clients to servers, commonly as part of mutual TLS (mTLS), server-to-server authentication, and other Client Authentication scenarios.
- April 07, 2025: Sectigo will stop including the Client Authentication EKU in eIDAS QWAC certificates, with no exceptions.
- September 15, 2025: Sectigo will stop including the Client Authentication EKU in SSL/TLS certificates by default.
- May 15, 2026: Sectigo will no longer include the Client Authentication EKU in any SSL/TLS certificates. This is a hard deadline, with no exceptions.
No changes are being made at this time to Sectigo’s S/MIME certificates.
- Multipurpose S/MIME certificates will continue to support the Client Authentication EKU.
- Strict profile S/MIME certificates do not support Client Authentication EKU and remain unchanged.
Sectigo recommends against using publicly trusted certificates for Client Authentication purposes.
If you are using certificates in mutual TLS (mTLS) configurations or for server-to-server authentication, you are likely relying on the Client Authentication EKU. If you are unsure, we recommend reviewing your current certificate deployment or contacting Sectigo for assistance.
Sectigo offers Private CA solutions that support Client Authentication EKUs for internal use cases like mTLS. Our team can help assess your needs and design a migration plan that ensures continued authentication functionality.
Major browser and root program providers have introduced new security requirements that prohibit the inclusion of the Client Authentication EKU in publicly trusted SSL/TLS certificates. These changes are designed to reinforce certificate purpose specificity and improve ecosystem security.
If your organization does not use Sectigo SSL/TLS certificates for mTLS, mutual TLS, or server-to-server authentication, no action is required.
If your organization does use SSL/TLS certificates for Client Authentication purposes, you will need to transition to an alternative solution, such as a Private CA.
Sectigo recommends migrating Client Authentication use cases to a Private PKI (Private CA) solution. A Private CA allows you to control certificate issuance policies, including the use of the Client Authentication EKU, and offers more flexibility for mTLS and server-to-server authentication scenarios.
After May 15, 2026, Sectigo SSL/TLS certificates will no longer include the Client Authentication EKU and cannot be used for mTLS or other Client Authentication use cases.
To avoid disruption, we recommend transitioning to Private CA-issued certificates well in advance of this date.
- Assess whether you are using Sectigo SSL/TLS certificates for Client Authentication purposes, including mTLS or server-to-server authentication.
- If so, contact Sectigo sales representatives to explore Private CA options.
- Plan your migration ahead of the September 15, 2025 soft deadline to avoid disruption.
If you have any questions or need assistance, please reach out to us at: clientauth@sectigo.com
Yes, this change applies to both new certificates and reissued or renewed certificates.
After September 15, 2025, any new, renewed, or reissued SSL/TLS certificates will no longer include the Client Authentication EKU by default.
After May 15, 2026, the Client Authentication EKU will not be included in any newly issued SSL/TLS certificates—whether they are new requests, renewals, or reissuances.
If you require certificates with Client Authentication functionality beyond these dates, you should transition to a Private CA solution.
Yes. SSL/TLS certificates that were issued before the deprecation deadlines and include the Client Authentication EKU will continue to work as they were issued—until they expire or are revoked.
This change only applies to newly issued certificates starting April 07, 2025 for eIDAS QWAC and starting September 15, 2025 for other SSL/TLS certificates.