1. Openprovider
  2. SSL Certificates
  3. FAQ - General questions

Deprecation of client authentication EKU from Sectigo SSL/TLS certificates

 

Sectigo recommends against using publicly trusted certificates for Client Authentication purposes.

Also, major browser and root program providers have introduced new security requirements that prohibit the inclusion of the Client Authentication EKU in publicly trusted SSL/TLS certificates.

Thus, since October 7, 2025 SSL certificates no longer include the Client Authentication EKU by default.

Deadline is May 15, 2026 when the Client Authentication EKU will be permanently removed from all newly issued SSL/TLS certificates. 

This change applies to both new certificates and reissued or renewed certificates.

SSL/TLS certificates that were issued before the deprecation deadlines and include the Client Authentication EKU will continue to work as they were issued—until they expire or are revoked.

This change only applies to newly issued certificates 

  • starting April 07, 2025 for eIDAS QWAC 
  • starting October 14, 2025 for other SSL/TLS certificates.

All public SSL/TLS certificates issued before May 15, 2026 — including those containing the Client Authentication EKU — will remain valid until their expiration date, provided they are not revoked.

However, after May 15, 2026:

  • No new or reissued certificates will include the Client Authentication EKU.
  • Renewals after this date will automatically exclude Client Authentication.

This if only effecting organizations that use certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication purposes.

If your organization relies on SSL/TLS certificates for Client Authentication, you will need to transition to a Private PKI (Private CA) solution.

No changes are being made at this time to Sectigo’s S/MIME certificates.

  • Multipurpose S/MIME certificates will continue to support the Client Authentication EKU.
  • Strict profile S/MIME certificates do not support Client Authentication EKU and remain unchanged.

What to do:

  • Assess whether you are using Sectigo SSL/TLS certificates for Client Authentication purposes, including mTLS or server-to-server authentication.
  • If so, contact your sales manager to explore Private CA options.
  • Plan your migration ahead of the May 15, 2026 soft deadline to avoid disruption.

 

 

 

 

Was this article helpful?
Additional questions? Submit a request