DigiCert to End Support for Client Authentication in TLS Certificates

(6/11/2025) DigiCert announced that it will gradually end support for the Extended Key Usage purpose of Client Authentication in their public TLS certificates. This change does not affect the regular use of certificates for HTTPS, but it will affect scenarios such as Mutual TLS (mTLS) or server-to-server authentication.

Reason and Deadline for Ending the Client Authentication EKU.

The reason for this change is the ending of support for Client Authentication EKU in Google Chrome. This is required in their Google Chrome root program. The schedule for the change is as follows:

• From October 1, 2025, this EKU will no longer be added by default, but it will be possible to select it manually.
• From May 1, 2026, it will no longer be possible to add the client authentication EKU at all – this applies to renewals, reinstallations, and duplicates of certificates.

How to Obtain this EKU?

This EKU is primarily used in the banking sector. For users who still require client authentication, DigiCert recommends switching to (designed for the banking sector) X9 PKI, using private PKI services, or managing certificates through Trust Lifecycle Manager.

Source and More Information

DigiCert: Sunsetting the client authentication EKU from DigiCert public TLS certificates