Knowledge Base

Description

DigiCert will no longer include the Client Authentication Extended Key Usage (EKU) in our public TLS certificates by default starting October 1, 2025. This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability.

What is changing?

Today, DigiCert includes both Server Authentication and Client Authentication Extended Key Usages (EKUs) in public TLS certificates.

On October 1, 2025

DigiCert will stop including the Client Authentication EKU in public TLS certificates by default and issue these certificates with the Server Authentication EKU only.

How does this affect you?

You can still choose to include the Client Authentication EKU in your TLS certificates after October 1, but you must do it proactively during the enrollment process. Disruption could occur if your certificates intended for client authentication only carry the Server Authentication EKU.

On May 1, 2026

DigiCert will fully remove the Client Authentication EKU from our public TLS certificate issuance process for all certificates, including renewals, reissues, and duplicate certificates. The option to choose the Client Authentication EKU during enrollment for public TLS certificates will no longer be available.

How does this affect you?

After May 1, 2026, public TLS certificates issued by DigiCert will no longer be usable for client authentication. This change will not affect your existing TLS certificates with the Client Authentication EKU issued before May 1, 2026. These existing certificates will remain trusted until they expire.

If you require the Client Authentication EKU beyond May 1, 2026, see What do you need to do below.

Why is DigiCert issuing public TLS certificates with only the Server Authentication EKU from dedicated TLS root hierarchies?

Google Chrome Root Program requires Certificate Authorities to use dedicated TLS root hierarchies to improve security and compliance. The Chrome root store policy does not apply to other PKI use cases, such as Client Authentication and Code Signing.

To adhere to the Chrome Root Program, DigiCert will convert the following public root CAs to dedicated TLS root hierarchies:

• DigiCert Global G2
• DigiCert Global G3
• DigiCert TLS ECC P384 Root G5
• DigiCert TLS RSA4096 Root G5
• QuoVadis Root CA 2 G3

Starting June 15, 2026, Google Chrome will only trust public TLS certificates issued from the root CAs listed above.

Timeline of events with Chrome policy and DigiCert transition plan

What do you need to do?

• Securing website only (HTTPS)
  If using your SSL/TLS certificates solely for securing websites (HTTPS), then no action is required. However, DigiCert recommends reviewing your TLS certificate process to verify it only includes securing websites.

• Mutual TLS (mTLS), server-to-server authentication, or other authentication use cases
  If your organization requires the Client Authentication EKU in your DigiCert TLS certificates for mTLS or server-to-server authentication, then action is required. DigiCert has excellent options available for our customers and partners who require the client authentication EKU beyond May 1, 2026.

X9 PKI for TLS certificates

Transition to DigiCert’s X9 PKI for TLS certificates to secure communications involving multiple organizations. Regulated by the ASC X9 standards body, X9 PKI is governed by an independent certificate policy unaffiliated with the browsers, but that ensures interoperability by using a common root of trust. X9 PKI for TLS certificates can have both client and server authentication EKUs, meeting today's unique need for control, security, flexibility, and scalability with encryption, identity, and cross-certification capabilities. Learn more about X9 PKI and schedule a consultation.

Private trust

Transition to PKI as a service for business needs that are strictly internal. DigiCert can configure and operate a private PKI for your organization, leveraging our operational expertise and investments in security. Learn more.

Affected TLS products