Important: This is a dynamic article. DigiCert will update it when new information becomes available. Save this page and check back periodically for the latest information. |
DigiCert will no longer include the Client Authentication Extended Key Usage (EKU) in our public TLS certificates by default starting October 1, 2025. This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability.
Today, DigiCert includes both Server Authentication and Client Authentication Extended Key Usages (EKUs) in public TLS certificates.
DigiCert will stop including the Client Authentication EKU in public TLS certificates by default and issue these certificates with the Server Authentication EKU only.
How does this affect you?
You can still choose to include the Client Authentication EKU in your TLS certificates after October 1, but you must do it proactively during the enrollment process. Disruption could occur if your certificates intended for client authentication only carry the Server Authentication EKU.
DigiCert will fully remove the Client Authentication EKU from our public TLS certificate issuance process for all certificates, including renewals, reissues, and duplicate certificates. The option to choose the Client Authentication EKU during enrollment for public TLS certificates will no longer be available.
How does this affect you?
After May 1, 2026, public TLS certificates issued by DigiCert will no longer be usable for client authentication. This change will not affect your existing TLS certificates with the Client Authentication EKU issued before May 1, 2026. These existing certificates will remain trusted until they expire.
If you require the Client Authentication EKU beyond May 1, 2026, see What do you need to do below.
Google Chrome Root Program requires Certificate Authorities to use dedicated TLS root hierarchies to improve security and compliance. The Chrome root store policy does not apply to other PKI use cases, such as Client Authentication and Code Signing.
To adhere to the Chrome Root Program, DigiCert will convert the following public root CAs to dedicated TLS root hierarchies:
Starting June 15, 2026, Google Chrome will only trust public TLS certificates issued from the root CAs listed above.
Change |
Chrome Policy |
DigiCert transition plan |
Extended Key Usage (EKU) |
Prior to June 15, 2026 Both Server and Client Authentication EKUs can be included in TLS certificates. |
|
Starting June 15, 2026 Only Server Authentication EKU can be included in TLS certificates. |
Fully remove the Client Authentication EKU from newly issued public TLS certificates (new, renewals, reissues, and duplicates). |
|
PKI Hierarchy |
Prior to June 15, 2026 TLS certificates may be issued from multipurpose root hierarchies. |
DigiCert will convert the following roots to dedicated TLS hierarchies:
|
Starting June 15, 2026 TLS certificates must be issued from dedicated TLS root hierarchies. |
Transition to DigiCert’s X9 PKI for TLS certificates to secure communications involving multiple organizations. Regulated by the ASC X9 standards body, X9 PKI is governed by an independent certificate policy unaffiliated with the browsers, but that ensures interoperability by using a common root of trust. X9 PKI for TLS certificates can have both client and server authentication EKUs, meeting today's unique need for control, security, flexibility, and scalability with encryption, identity, and cross-certification capabilities. Learn more about X9 PKI and schedule a consultation.
Transition to PKI as a service for business needs that are strictly internal. DigiCert can configure and operate a private PKI for your organization, leveraging our operational expertise and investments in security. Learn more.
Brand |
Validation type |
Product |
DigiCert |
OV |
|
EV | ||
GeoTrust |
DV |
|
OV |
|
|
EV |
|
|
Thawte |
DV |
|
OV |
|
|
EV |
|
|
RapidSSL |
DV |
|
Encryption Everywhere |
DV |
|