Important SSL Certificate Changes Coming to Chrome in 2026

What’s Changing?

Google Chrome will stop trusting public SSL/TLS certificates that support the client authentication extended key usage (ClientAuth EKU) starting June 15, 2026. This means that after this date, new public SSL/TLS certificates issued must only include the server authentication EKU. Certificates issued before this cutoff will remain valid until they expire or are revoked. The main goal is to improve security and simplify certificate management by eliminating multipurpose certificates that support both server and client authentication.

Who is Impacted?

Most websites and users won’t be affected, as typical SSL/TLS certificates are used only for server authentication. However, organisations that use public SSL/TLS certificates for client authentication (such as mutual TLS or server-to-server authentication) must adapt. These organisations should transition to either publicly trusted S/MIME certificates with ClientAuth EKU for individual authentication or use private CA-based client authentication for internal scenarios.

The Timeline

Major certificate authorities (CAs) are phasing out support for ClientAuth EKU in public SSL/TLS certificates at different times ahead of the deadline. For example, DigiCert will stop including ClientAuth EKU by default from October 1, 2025, and will fully remove it from all public SSL/TLS certificates by May 1, 2026. Let’s Encrypt and Sectigo have similar phased timelines, ending in May 2026.

The background for this change is a broader industry move toward dedicated PKI hierarchies, which helps maintain public trust and security by separating server and client authentication roles. Importantly, these changes do not affect private CA client authentication certificates, only publicly trusted ones.

What does it mean for you?

For most companies, the Chrome change means little to no impact if they are not using their public SSL/TLS certificates for client authentication.  If they are, then they need to plan to move to a private certificate before the June 2026 deadline.