Meet the new X9 PKI

Jun 11, 2025 | Jindřich Zechmeister

DigiCert X9 PKI is a specialized Public Key Infrastructure (PKI) designed to provide interoperability and flexibility for environments outside of web browsers. It was developed in collaboration with the financial standards body ASC X9 and operates independently of the CA/B Forum and web browser root certificate programs.

What is X9 PKI and why was it created

X9 PKI was established based on the financial sector's need for a specialized and interoperable trustworthy framework. It was developed in collaboration with the nonprofit standards organization ASC X9 and designed to meet the strict security and regulatory requirements of the industry.

Not all TLS certificates are used for the web, so it is not appropriate for their issuance to be regulated solely by browsers. X9 can otherwise be defined as a PKI that wants to offer its users stability, which they certainly will not find with browsers and CA/B forum. Unlike certificates used in browsers, X9 PKI serves specific purposes and these two ecosystems will not collide.

The main benefits of X9 PKI are:

• Easy interoperability, high trustworthiness. A common root of trust significantly facilitates communication in ecosystems such as financial services or industrial production, while ensuring a high level of organization verification.
• Standards and governance. The operation of X9 PKI is governed by the ASC X9 political committee and is subject to independent audit annually according to the WebTrust standard – a recognized standard for public certificate authorities.
• Wide range of applications. X9 PKI is designed to support dozens of use-case scenarios derived from years of research into the financial industry's needs – while meeting strict compliance principles and regulatory requirements.
• Scalability and flexibility. Organizations with their own PKI system can leverage cross-certification with X9 PKI root, allowing smooth and seamless integration.

Who is X9 PKI intended for?

X9 PKI primarily targets the financial and banking sector. They will be heavily impacted by the loss of Client Authentication (EKU) extension in TLS certificates because they use it extensively. This certificate extension is also used for mTLS, which ensures mutual identity verification between client and server. mTLS is a way to ensure that both parties are validated during network communication, not just one – which is critical in environments with high-security demands.

The Chrome Root Store recently announced that it will no longer trust public TLS certificates that contain the extended use case (EKU) for client authentication. This change will affect organizations using such certificates for server-to-server communication, for example, in mutual TLS (mTLS), for API or other applications outside of web browsers. X9 PKI for TLS represents a ready solution for companies affected by this change. It offers high-trust certificates and the advantage of a common trusted root.

Get X9 PKI through SSLmarket

If you are interested in acquiring X9 PKI with all its benefits, do not hesitate to contact us and we will arrange onboarding for you with DigiCert.

Resources and more information

1. ASC X9 website: available here
2. Article A Modern PKI for Security and Interoperability: available on DigiCert's website