Publicly trusted TLS/SSL certificates will no longer be permitted to be used for both server and client authentication. This change is driven by new requirements from the root programs of major browser vendors. Organizations using such certificates should review their infrastructure in a timely manner.

What is changing

Until now, many publicly issued TLS certificates could be used for both server authentication (e.g., HTTPS) and client authentication (e.g., mutual TLS). This was enabled through the so-called Extended Key Usage (EKU), where a certificate contained both “Server Authentication” and “Client Authentication” entries.

This dual use is now being phased out. Publicly trusted TLS certificates may in future only be used for server authentication. Separate certificates will be required for client authentication, for example from a private PKI.

Transition timeline

Several certificate authorities will begin implementing these changes in spring 2026. For example, Let’s Encrypt will stop issuing such certificates on May 13, 2026. Certificates already issued can still be used there until July 8, 2026.

These changes are based on new requirements from browser root programs, which mandate a clear separation between server and client authentication.

Who is affected?

Environments that use publicly trusted TLS certificates for client authentication are particularly affected, including:

  • Mutual TLS (mTLS) between systems
  • API authentication using client certificates
  • Device or machine authentication
  • Internal services using certificates for multiple purposes

The standard use of TLS certificates for HTTPS web servers is not affected.

Recommended actions

Organizations should review whether such certificates are in use and adjust their configurations accordingly:

  • Create an inventory of certificates
  • Identify certificates with combined EKU
  • Review client authentication use cases
  • Introduce separate client certificates (contact your trust center to understand available options or consider using a private trust setup)
  • Adjust automated certificate processes

A centralized overview of existing certificates can support this process. With essendi cd, a certificate inventory can be established and certificates with combined Extended Key Usage can be identified. The subsequent adjustment and renewal of certificates can be handled through automated processes, for example with essendi xc, which covers the entire certificate lifecycle and enables controlled rollout of changes.

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.