Knowledge Base

Google Chrome Root Program requirements

The Google Chrome Root Program requires Certificate Authorities (CAs) to stop including the Client Authentication extended key usage (EKU) in public TLS certificates. To align with this requirement and enhance digital trust, DigiCert will stop including the Client Authentication EKU in our public TLS certificates on March 1, 2027.

This change affects all DigiCert's public TLS certificates: DV, OV, EV, EU Qualified Website Authentication Certificate (QWAC), and EU QWAC PSD2 and all DigiCert brands: DigiCert ®, GeoTrust ®, Thawte ®, RapidSSL ®, and Encryption Everywhere ®.  

Items covered in this article

• What is DigiCert doing to sunset the Client Authentication EKU in public TLS certificates?  
  • Step 1: Stop including the Client Authentication EKU in our public TLS certificates by default.  
    • What if I need to include the Client Authentication EKU in my public TLS certificates?  
  • Step 2: Stop issuing public TLS certificates that include the Client Authentication EKU.
    • Timeline of events with Chrome policy and DigiCert transition plan
• What should I do to prepare for the Client Authentication EKU removal from public TLS certificates? 
• Solutions for organization that require the Client Authentication EKU in your DigiCert TLS
  • X9 PKI for TLS certificates
  • Private trust
• Affected products

What is DigiCert doing to sunset the Client Authentication EKU in public TLS certificates? 

Step 1: Stop including the Client Authentication EKU in our public TLS certificates by default.

On October 1, 2025, DigiCert stopped including the Client Authentication EKU in all our public TLS certificates by default and issued these certificates with the Server Authentication EKU only. Learn more about when DigiCert to stopped including the Client Authentication EKU in public TLS certificates by default.

What if I need to include the Client Authentication EKU in my public TLS certificates?  

• Choose to include the Client Authentication EKU during certificate enrollment
  You can choose to include the Client Authentication EKU in your TLS certificates, but you must do it proactively. When enrolling for public TLS certificates via CertCentral ® and the Services API, you must choose to include the Server Authentication and Client Authentication EKUs in your certificate. See our Extended key usage (EKU) options article.
• Configure the default EKU setting for your public TLS certificates
  If you are a CertCentral® administrator, you can use Server Authentication and Client Authentication as the default EKU settings for your TLS certificates. Learn more about updating the default EKU option selection for your public TLS certificate.
   

Step 2: Stop issuing public TLS certificates that include the Client Authentication EKU.

On March 1, 2027, DigiCert will fully remove the Client Authentication EKU from our public TLS certificate issuance process for all certificates, including renewals, reissues, and duplicate certificates. The option to choose the Client Authentication EKU during enrollment for public TLS certificates will no longer be available.  

This change will not affect your existing TLS certificates with the Client Authentication EKU issued before March 1, 2027. These certificates will remain trusted until they expire.  

If you require the Client Authentication EKU beyond March 1, 2027, see What do you need to do below.  

Timeline of events with Chrome policy and DigiCert transition plan

What should I do to prepare for the Client Authentication EKU removal from public TLS certificates?  

Do you also use TLS certificates for client authentication?

• We use TLS certificates for securing website only (HTTPS)
  If using your SSL/TLS certificates solely for securing websites (HTTPS), then no action is required.
  However, DigiCert recommends reviewing your TLS certificate process to verify it only includes securing websites. Disruption could occur if your certificates intended for client authentication only carry the Server Authentication EKU.  

• We use TLS certificates for Mutual TLS (mTLS), server-to-server authentication, or other authentication use cases  
  If your organization requires the Client Authentication EKU in your DigiCert TLS certificates for mTLS or server-to-server authentication, then action is required. DigiCert has excellent options available for our customers and partners who require the client authentication EKU beyond March 1, 2027.  

Solutions for organization that require the Client Authentication EKU in your DigiCert TLS certificates  

X9 PKI for TLS certificates

Transition to DigiCert’s X9 PKI for TLS certificates to secure communications involving multiple organizations. Regulated by the ASC X9 standards body, X9 PKI is governed by an independent certificate policy unaffiliated with the browsers, but that ensures interoperability by using a common root of trust. X9 PKI for TLS certificates can have both client and server authentication EKUs, meeting today's unique need for control, security, flexibility, and scalability with encryption, identity, and crosscertification capabilities. Learn more about X9 PKI and schedule a consultation.  

Private Trust

Transition to Private PKI as a service for business needs that are strictly internal. DigiCert can configure and operate a private PKI for your organization, leveraging our operational expertise and investments in security. Learn more.

Affected TLS products