Sun-setting of EKU Client Authentication

JamesBowen

JamesBowen

19+ years progress programming and still learning.
This isn't an OpenEdge-specific issue, but rather a broader web security concern.

We currently use Let's Encrypt certificates for mutual TLS (mTLS) connections with external APIs. Starting 15 September, Let's Encrypt will no longer include the EKU Client Authentication attribute in its certificates. While a temporary workaround will be available, full support ends in May 2026.

As we require certificates signed by a public CA (self-signed is not an option), this change poses a challenge. Moreover, this shift isn’t limited to Let's Encrypt—most major certificate authorities are aligning with stricter requirements driven by Google Chrome’s security policies.

One potential solution is adopting a managed PKI service, but the cost is prohibitive for our use case.

I’m interested to know if this change will affect your organization, and what approach you're planning to take in response.
 
I've got no idea! Have you got a link to a news article that explains it in dummy terms so I can send it to the powers that be?
 
Starting May 2026, public certificate authorities (CAs) will no longer support TLS client authentication due to changes in Chrome’s root program.
If your organization uses public SSL/TLS certificates to authenticate users, devices, or apps, you’ll need to switch to a private CA.
This change affects systems like VPNs, mTLS, and Wi-Fi onboarding.
Modern private CA solutions, especially when paired with Certificate Lifecycle Management (CLM), provide a secure and scalable alternative.

letsencrypt.org

Ending TLS Client Authentication Certificate Support in 2026

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client...
letsencrypt.org

www.sectigo.com

TLS client authentication changes 2026: Why public CAs won’t work & how to adapt

Public CAs will stop supporting TLS client authentication by 2026 due to Chrome policy changes. Learn why private CAs + CLM are now essential for VPNs, mTLS, and device auth and how to migrate before deadlines hit.
www.sectigo.com www.sectigo.com

Sunsetting the client authentication EKU from DigiCert public TLS certificates

knowledge.digicert.com knowledge.digicert.com

www.ssl.com

Removal of the Client Authentication EKU from TLS Server Certificates – What You Need to Know - SSL.com

ContentsOverviewWhat are Extended Key Usages (EKUs)? What’s happening? Why remove the clientAuth EKU from server certs? Industry Compliance Impact on Server Environments Required Actions for Customers FAQ (Frequently Asked Questions) Summary Was this article helpful?Overview Beginning September...
www.ssl.com www.ssl.com
 
You must log in or register to reply here.
Back
Top