1. Home
  2. SSL/TLS certificates
  3. OV certificates
  4. OV certificates DigiCert
  5. DigiCert X9: mTLS certificate with Client Auth EKU
{"copy":"Copy","expand":"Expand","collapse":"Collapse","copy_success":"Copied!","copy_error":"Copying failed!"}

DigiCert X9 mTLS Certificate with Client Auth EKU Order

DigiCert X9 PKI for TLS is a certificate primarily intended for host-to-host communication (mTLS, API, internal services) outside the web browser environment. Its key advantage is support for Client Authentication EKU (typically along with Server Authentication EKU) – precisely the use case that is gradually ending in the world of WebPKI. X9 PKI is regulated by ASC X9 standards and ensures interoperability through a common root of trust.

Trusted due to organization's name in the certificate OV - Organization Validation
mTLS client auth EKU
1-250 SAN (FQDN / IP)
1-2d issuance time
outside WebPKI
  • Price $439
  • ValidityMultiple years
  • Usage mTLS / API / host-to-host
  • Trust standalone PKI (not WebPKI)
  • EKU Client Auth, Server Auth, or both
  • Public key length2,048 (3,072/4,096) bits
  • Root / TrustX9 Financial PKI - RSA 4096 Root
  • Support for multiple domainsup to 250 SAN
  • Public keyRSA and ECC
  • Certificate reissuanceFREE
  • Possibility to add more domainsYES
  • Reissue / duplicatesfree (unlimited)

Recommended Usage of the Certificate

DigiCert X9 PKI for TLS is ideal wherever a TLS certificate is not primarily used for "web in a browser" but for authentication between systems. Typically, this involves mutual TLS (mTLS), securing APIs, microservices communication, integration layers, and other host-to-host scenarios.

The main benefit of X9 PKI is the Client Authentication EKU in the certificate. In the standard WebPKI environment, the use of public TLS certificates for client authentication is gradually phased out, complicating mTLS operation and internal PKI scenarios. X9 PKI provides a standardized alternative outside the browser ecosystem.

The certificate supports up to 250 SAN items per certificate (FQDN and/or IP addresses). Wildcard domains are not supported – only fully qualified DNS names and IP addresses can be included in the certificate.

Price List of DigiCert X9 PKI for TLS Certificate

The DigiCert X9 PKI for TLS certificate supports up to 250 SAN items (FQDN and IP addresses). Wildcard domains cannot be used in the certificate.

One-year

$439.00
  • Unlimited reissues and duplicates
  • Client Auth EKU for mTLS

Extension

+ 1x SAN (FQDN or IP): $439.00

Order

Multi-year order

Save when ordering for multiple years. You can order the certificate for up to 3 years. Each year you receive a consecutive one-year certificate.

  • Less administration: one order, one payment.
  • Higher savings for longer validity.
  • You receive a consecutive certificate automatically.
Learn more

Prices indicated excluding VAT.

Use of Certificates Outside Web Browsers

DigiCert X9 PKI for TLS is designed for infrastructure where mutual authentication (mTLS) and control over how and where certificates are used are key – typically in internal networks, B2B integrations, and API communications.

Unlike "web" TLS certificates, the primary goal is not visual indication in the browser, but machine/service identity, encryption, and interoperability within the X9 PKI with independent certification policies.

If you are transitioning due to Client Authentication EKU restrictions in WebPKI, X9 PKI is a typical path to maintain the mTLS model long-term.

DigiCert X9 PKI for TLS - use for mTLS and host-to-host communication

FAQ – Frequently Asked Questions about DigiCert X9 Certificates

If you need a standard TLS certificate for public websites (WebPKI, browser trust), choose standard DV/OV/EV certificates.

However, if you are dealing with mTLS, API communication, host-to-host connections, or communication between financial institutions, the appropriate choice is a DigiCert X9 certificate.

These certificates:
  • allow Client Authentication (EKU) – that is, mutual TLS authentication,
  • can be issued for a multi-year period,
  • operate within a private trust between financial institutions, not as public WebPKI certificates.
If you are unsure, please contact our customer support.
No. DigiCert X9 certificates only support specific FQDNs and optionally IP addresses. Wildcard domains (e.g., *.domain.cz) are not supported.
No. DigiCert X9 certificates are not intended for public websites and are not a part of the standard WebPKI trust in ordinary browsers.

They are designated for a closed trust model between financial institutions, where trust is governed contractually and technically within the particular ecosystem.
Yes. DigiCert X9 certificates support Extended Key Usage (EKU) for Client Authentication, which enables secure mTLS scenarios.

This type of client authentication is not commonly available today with public WebPKI certificates, which is one of the main reasons why X9 is suitable for banking and financial infrastructure.