September 15, 2025 12:00AM - 12:00AM UTC
Certificate Issuing Platforms
Effective September 15, 2025, Sectigo will no longer include Client Authentication (id-kp-clientAuth) in Extended Key Usage (EKU) for newly issued SSL/TLS certificates.
This change aligns with updated industry requirements and best practices aimed at improving the security and purpose specificity of publicly trusted certificates.
What is changing?
For many years, SSL/TLS certificates have commonly included both Server Authentication and Client Authentication EKUs. Moving forward, the Client Authentication EKU will be deprecated in SSL/TLS certificates due to updated requirements from major Root Programs.
Important dates
Effective September 15, 2025, Sectigo will stop including the Client Authentication EKU in SSL/TLS certificates by default.
Effective May 15, 2026, Sectigo will no longer include the Client Authentication EKU in any newly issued SSL/TLS certificates.
What do your customers need to do?
If they don't use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication use cases, no action is required.
If they are using SSL/TLS certificates for Client Authentication purposes, we recommend they evaluate alternative solutions as soon as possible. For most organizations, Private PKI offers the best path forward to support mTLS and similar use cases. Please contact a Sectigo sales representative to assist with planning and deploying a Private CA tailored to the environment.
Need assistance?
If you are unsure whether this change impacts your customers, or if you need guidance on migrating to alternative solutions, please contact us at clientauth@sectigo.com.
Learn more
For additional information, we have prepared a FAQ covering the deprecation timeline, impacted services, and alternative options.
https://www.sectigo.com/faq-client-authentication-eku-deprecation
Thank you for your prompt attention to this important industry change.