Google Chrome will stop trusting public SSL/TLS certificates that support the client authentication extended key usage (ClientAuth EKU) starting June 15, 2026. This means that after this date, new public SSL/TLS certificates issued must only include the server authentication EKU. Certificates issued before this cutoff will remain valid until they expire or are revoked. The main goal is to improve security and simplify certificate management by eliminating multipurpose certificates that support both server and client authentication.
Most websites and users won’t be affected, as typical SSL/TLS certificates are used only for server authentication. However, organisations that use public SSL/TLS certificates for client authentication (such as mutual TLS or server-to-server authentication) must adapt. These organisations should transition to either publicly trusted S/MIME certificates with ClientAuth EKU for individual authentication or use private CA-based client authentication for internal scenarios.
Major certificate authorities (CAs) are phasing out support for ClientAuth EKU in public SSL/TLS certificates at different times ahead of the deadline. For example, DigiCert will stop including ClientAuth EKU by default from October 1, 2025, and will fully remove it from all public SSL/TLS certificates by May 1, 2026. Let’s Encrypt and Sectigo have similar phased timelines, ending in May 2026.
The background for this change is a broader industry move toward dedicated PKI hierarchies, which helps maintain public trust and security by separating server and client authentication roles. Importantly, these changes do not affect private CA client authentication certificates, only publicly trusted ones.
For most companies, the Chrome change means little to no impact if they are not using their public SSL/TLS certificates for client authentication. If they are, then they need to plan to move to a private certificate before the June 2026 deadline.
In our 18th episode, we provide you with a quick guide to what gTLD applicants need to know about the new Applicant Guidebook and the 2026 application round.