DigiCert to End Support for Client Authentication in TLS Certificates

(June 11, 2025) DigiCert announced that it will gradually discontinue support for the extended key usage Client Authentication in its public TLS certificates. This change will not affect the regular use of certificates for HTTPS, but it will impact scenarios such as Mutual TLS (mTLS) or server-to-server authentication.

Reason and Timeline for Ending Client Authentication EKU.

The reason for this change is the discontinuation of support for Client Authentication EKU in Google Chrome. It is required by their Google Chrome root program. The schedule for the change is as follows:

• From October 1, 2025, this EKU will no longer be included by default, but it can be selected manually.
• From May 1, 2026, it will no longer be possible to add the EKU for client authentication at all – this applies to renewals, reinstalls, and duplicates of certificates.

How to Obtain this EKU?

This EKU is mainly used in the banking sector. For users who still need client authentication, DigiCert recommends transitioning to (intended for the banking sector) X9 PKI, utilizing private PKI services, or managing certificates through Trust Lifecycle Manager.

Source and More Information

DigiCert: Sunsetting the client authentication EKU from DigiCert public TLS certificates