Client authentication in TLS certificates will soon end.

Jul 25, 2025 | Jindřich Zechmeister

DigiCert has announced that it will gradually discontinue support for the extended use of Client Authentication in its public TLS certificates. The change does not affect the normal use of certificates for HTTPS, but will affect scenarios such as Mutual TLS (mTLS) and server-to-server authentication.

Why does this happen?

The main reason for this change is the discontinuation of support for the Client Authentication EKU in the Google Chrome browser. This step is part of a broader effort to ensure the security and integrity of public key infrastructure (PKI). Google Chrome plans to remove root certificates that issue certificates with Client Authentication EKU from the trusted list from June 15, 2026. This step aims to eliminate multipurpose root certificates that can be misused for various purposes, thereby increasing user security.

Who is affected by this change?

This change will affect organizations that use public TLS certificates for client authentication, for example, within mTLS or server-to-server communication. If your organization uses TLS certificates solely for securing HTTPS communication, this change does not directly affect you. However, if you plan to implement mTLS or other forms of client authentication in the future, it is important to prepare for this change.

What to do about it?

DigiCert recommends organizations that require client authentication to transition to alternative solutions such as X9 PKI, private PKI services, or certificate management through Trust Lifecycle Manager. X9 PKI is a standard designed for the financial sector, enabling secure and efficient certificate management for client authentication. Transitioning to these solutions will ensure the continuity of secure communication and compliance with current security standards.

Conclusion

The change in support for client authentication in TLS certificates from DigiCert is part of a broader trend towards separating public and private PKI infrastructure. Organizations that use certificates for client authentication should start planning to transition to alternative solutions to ensure the continuity and security of their systems. Timely adaptation to this change will help minimize risks and ensure compliance with future security standards.