Accessibility

Reset to default

Language

Renew or activate signature

Electronic signature activation

How to activate NEW
Certum's electronic signature?

Activate a Signature

Electronic signature renewal

Renewal of Certum's e-signature
step by step

Renew a Signature

Electronic signature renewal process - detailed instruction

Home page of announcements

2025-10-21

Sunsetting the clientAuth EKU from Certum SSL/TLS certificates


Key information

From October 2025, the SSL/TLS certificate industry is undergoing a significant change – public SSL/TLS certificates will no longer include the Extended Key Usage (EKU) TLS Web Client Authentication (clientAuth) extension. This certificate extension allowed a single SSL/TLS certificate to be used for both server and client authentication in mutual TLS (mTLS) scenarios.

In response to market needs, Certum will continue to issue SSL/TLS certificates with EKU clientAuth until May 15, 2026. After this date, SSL/TLS certificates with EKU clientAuth will only be available within private CA solutions.

This change results from new browser requirements (Chrome Root Program Policy) and global security standards, and applies to all SSL/TLS certificates:

  • Certum Commercial SSL (DV),
  • Certum Trusted SSL (OV),
  • Certum Premium EV SSL (EV).

Key dates

  • June 15, 2025 – new intermediate certificates (SubCA) can no longer contain both EKU serverAuth and EKU clientAuth,
  • October 2025 – CAs starts sunsetting EKU clientAuth in SSL/TLS certificates,
  • May 15, 2026 – Certum stops issuing public SSL/TLS certificates with EKU clientAuth,
  • June 15, 2026 – Chrome stops trusting SSL/TLS certificates containing both EKU serverAuth and EKU clientAuth.

How to prepare?

An inventory of SSL/TLS certificates is recommended:

  • If SSL/TLS certificates are used solely to secure websites (HTTPS), no action is required.
  • If scenarios are detected where an SSL/TLS certificate is used for both server and client authentication – it is recommended to migrate the infrastructure to separate SSL/TLS certificates for EKU serverAuth and EKU clientAuth for each use case.

What will happen to SSL/TLS certificates with EKU clientAuth after June 15, 2026?

  • Chrome will stop trusting only new public SSL/TLS certificates with EKU clientAuth issued after June 15, 2026.
  • SSL/TLS certificates issued with EKU clientAuth in accordance with the deadlines provided by Certum, until May 15, 2026, will remain valid and accepted by Chrome until the end of their validity period.
  • If, after June 15, 2026, there are trust issues with SSL/TLS certificates with EKU clientAuth, the certificate can be replaced with a new one, without EKU clientAuth, using the standard reissue procedure at Certum.

Why is this changing?

The change results from global security requirements and browser policies:

  • It will no longer be possible to order a universal SSL/TLS certificate for both purposes (server + client) in a public CA.
  • Chrome Root Program Policy requires SSL/TLS certificates to be single-purpose – separately for server and separately for client.
  • New standards (CA/B Forum Baseline Requirements) and trusted Root CA policies require a clear definition of each certificate’s purpose.
  • Separating certificate functions reduces the risk of abuse and increases the transparency of the PKI ecosystem.
  • Public SSL/TLS certificates will only be allowed to contain EKU serverAuth (OID 1.3.6.1.5.5.7.3.1).
  • EKU clientAuth (OID 1.3.6.1.5.5.7.3.2) will be removed from the profile of SSL/TLS certificates issued by public CAs.

Other announcements