DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Sunsetting the client authentication EKU from DigiCert public TLS certificates

Solution ID : ALERT53
Last Modified : 06/06/2025

Description

Important: This is a dynamic article. DigiCert will update it when new information becomes available. Save this page and check back periodically for the latest information.


DigiCert will no longer include the Client Authentication Extended Key Usage (EKU) in our public TLS certificates by default starting October 1, 2025. This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability.


What is changing?

Today, DigiCert includes both Server Authentication and Client Authentication Extended Key Usages (EKUs) in public TLS certificates.

On October 1, 2025

DigiCert will stop including the Client Authentication EKU in public TLS certificates by default and issue these certificates with the Server Authentication EKU only.

How does this affect you?

You can still choose to include the Client Authentication EKU in your TLS certificates after October 1, but you must do it proactively during the enrollment process. Disruption could occur if your certificates intended for client authentication only carry the Server Authentication EKU.

On May 1, 2026

DigiCert will fully remove the Client Authentication EKU from our public TLS certificate issuance process for all certificates, including renewals, reissues, and duplicate certificates. The option to choose the Client Authentication EKU during enrollment for public TLS certificates will no longer be available.

How does this affect you?

After May 1, 2026, public TLS certificates issued by DigiCert will no longer be usable for client authentication. This change will not affect your existing TLS certificates with the Client Authentication EKU issued before May 1, 2026. These existing certificates will remain trusted until they expire.

If you require the Client Authentication EKU beyond May 1, 2026, see What do you need to do below.


Why is DigiCert issuing public TLS certificates with only the Server Authentication EKU from dedicated TLS root hierarchies?

Google Chrome Root Program requires Certificate Authorities to use dedicated TLS root hierarchies to improve security and compliance. The Chrome root store policy does not apply to other PKI use cases, such as Client Authentication and Code Signing.

To adhere to the Chrome Root Program, DigiCert will convert the following public root CAs to dedicated TLS root hierarchies:

  • DigiCert Global G2
  • DigiCert Global G3
  • DigiCert TLS ECC P384 Root G5
  • DigiCert TLS RSA4096 Root G5
  • QuoVadis Root CA 2 G3

Starting June 15, 2026, Google Chrome will only trust public TLS certificates issued from the root CAs listed above.


Timeline of events with Chrome policy and DigiCert transition plan

Change

Chrome Policy

DigiCert transition plan

Extended Key Usage (EKU)

Prior to June 15, 2026

Both Server and Client Authentication EKUs can be included in TLS certificates.

October 1, 2025

  • Start issuing public TLS certificates with only the Server Authentication EKU by default.
  • Temporarily, provide an option to include both Server and Client Authentication EKUs during enrollment.

Starting June 15, 2026

Only Server Authentication EKU can be included in TLS certificates.

May 1, 2026

Fully remove the Client Authentication EKU from newly issued public TLS certificates (new, renewals, reissues, and duplicates).

PKI Hierarchy

Prior to June 15, 2026

TLS certificates may be issued from multipurpose root hierarchies.

DigiCert will convert the following roots to dedicated TLS hierarchies:

  • DigiCert Global G2
  • DigiCert Global G3
  • DigiCert TLS ECC P384 Root G5
  • DigiCert TLS RSA4096 Root G5
  • QuoVadis Root CA2 G3

Starting June 15, 2026

TLS certificates must be issued from dedicated TLS root hierarchies.


What do you need to do?

  • Securing website only (HTTPS)
    If using your SSL/TLS certificates solely for securing websites (HTTPS), then no action is required. However, DigiCert recommends reviewing your TLS certificate process to verify it only includes securing websites.
  • Mutual TLS (mTLS), server-to-server authentication, or other authentication use cases
    If your organization requires the Client Authentication EKU in your DigiCert TLS certificates for mTLS or server-to-server authentication, then action is required. DigiCert has excellent options available for our customers and partners who require the client authentication EKU beyond May 1, 2026.

X9 PKI for TLS certificates

Transition to DigiCert’s X9 PKI for TLS certificates to secure communications involving multiple organizations. Regulated by the ASC X9 standards body, X9 PKI is governed by an independent certificate policy unaffiliated with the browsers, but that ensures interoperability by using a common root of trust. X9 PKI for TLS certificates can have both client and server authentication EKUs, meeting today's unique need for control, security, flexibility, and scalability with encryption, identity, and cross-certification capabilities. Learn more about X9 PKI and schedule a consultation.

Private trust

Transition to PKI as a service for business needs that are strictly internal. DigiCert can configure and operate a private PKI for your organization, leveraging our operational expertise and investments in security. Learn more.


Affected TLS products

Brand

Validation type

Product

DigiCert

OV
  • Basic OV
  • Secure Site OV
  • Secure Site Pro SSL
  • Cloud
  • Standard SSL
  • Multi-Domain SSL
  • Wildcard
  • Secure Site SSL
  • Secure Site Multi-Domain SSL
  • Secure Site Wildcard SSL
EV
  • Basic EV
  • Secure Site EV
  • Secure Site Pro EV SSL
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Secure Site EV SSL
  • Secure Site EV Multi-Domain SSL

GeoTrust

DV
  • GeoTrust DV SSL
  • GeoTrust Cloud DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV
OV
  • GeoTrust TrueBusiness ID OV
EV
  • GeoTrust TrueBusiness ID EV

Thawte

DV
  • Thawte SSL 123 DV
OV
  • Thawte SSL Webserver OV
EV
  • Thawte SSL Webserver EV

RapidSSL

DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV

Encryption Everywhere

DV
  • Encryption Everywhere DV