DigiCert X9 mTLS Certificate with Client Auth EKU Order
DigiCert X9 PKI for TLS is a certificate primarily intended for host-to-host communication (mTLS, API, internal services) outside the web browser environment. Its key advantage is support for Client Authentication EKU (typically along with Server Authentication EKU) – precisely the use case that is gradually ending in the world of WebPKI. X9 PKI is regulated by ASC X9 standards and ensures interoperability through a common root of trust.
- Price $439
- ValidityMultiple years
- Usage mTLS / API / host-to-host
- Trust standalone PKI (not WebPKI)
- EKU Client Auth, Server Auth, or both
- Public key length2,048 (3,072/4,096) bits
- Root / TrustX9 Financial PKI - RSA 4096 Root
- Support for multiple domainsup to 250 SAN
- Public keyRSA and ECC
- Certificate reissuanceFREE
- Possibility to add more domainsYES
- Reissue / duplicatesfree (unlimited)
Recommended Usage of the Certificate
DigiCert X9 PKI for TLS is ideal wherever a TLS certificate is not primarily used for "web in a browser" but for authentication between systems. Typically, this involves mutual TLS (mTLS), securing APIs, microservices communication, integration layers, and other host-to-host scenarios.
The main benefit of X9 PKI is the Client Authentication EKU in the certificate. In the standard WebPKI environment, the use of public TLS certificates for client authentication is gradually phased out, complicating mTLS operation and internal PKI scenarios. X9 PKI provides a standardized alternative outside the browser ecosystem.
The certificate supports up to 250 SAN items per certificate (FQDN and/or IP addresses). Wildcard domains are not supported – only fully qualified DNS names and IP addresses can be included in the certificate.
Price List of DigiCert X9 PKI for TLS Certificate
The DigiCert X9 PKI for TLS certificate supports up to 250 SAN items (FQDN and IP addresses). Wildcard domains cannot be used in the certificate.
One-year
$439.00- Unlimited reissues and duplicates
- Client Auth EKU for mTLS
Extension
+ 1x SAN (FQDN or IP): $439.00
OrderMulti-year order
Save when ordering for multiple years. You can order the certificate for up to 3 years. Each year you receive a consecutive one-year certificate.
- Less administration: one order, one payment.
- Higher savings for longer validity.
- You receive a consecutive certificate automatically.
Prices indicated excluding VAT.
Use of Certificates Outside Web Browsers
DigiCert X9 PKI for TLS is designed for infrastructure where mutual authentication (mTLS) and control over how and where certificates are used are key – typically in internal networks, B2B integrations, and API communications.
Unlike "web" TLS certificates, the primary goal is not visual indication in the browser, but machine/service identity, encryption, and interoperability within the X9 PKI with independent certification policies.
If you are transitioning due to Client Authentication EKU restrictions in WebPKI, X9 PKI is a typical path to maintain the mTLS model long-term.
FAQ – Frequently Asked Questions about DigiCert X9 Certificates
Which certificate to choose for mTLS communication, or Client Auth. EKU?
However, if you are dealing with mTLS, API communication, host-to-host connections, or communication between financial institutions, the appropriate choice is a DigiCert X9 certificate.
These certificates:
- allow Client Authentication (EKU) – that is, mutual TLS authentication,
- can be issued for a multi-year period,
- operate within a private trust between financial institutions, not as public WebPKI certificates.
Can a wildcard domain be added to the certificate?
Is the certificate trusted in web browsers?
They are designated for a closed trust model between financial institutions, where trust is governed contractually and technically within the particular ecosystem.
Does the certificate support Client Authentication?
This type of client authentication is not commonly available today with public WebPKI certificates, which is one of the main reasons why X9 is suitable for banking and financial infrastructure.