Description
Globally SSL Certifictae will no longer include the Client Authentication Extended Key Usage (EKU) in our public TLS certificates by default starting October 1, 2025. This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability.
Important: This is a dynamic article. YISolutions will update it when new information becomes available. Save this page and check back periodically for the latest information.
What is Changing
Today, Globally SSL Certificate includes both Server Authentication and Client Authentication Extended Key Usages (EKUs) in public TLS certificates.
On October 1 ,2025
Globally SSL Certificate will stop including the Client Authentication EKU in public TLS certificates by default and issue these certificates with the Server Authentication EKU only.
How does this affect you?
You can still choose to include the Client Authentication EKU in your TLS certificates after October 1, but you must do it proactively during the enrollment process. Disruption could occur if your certificates intended for client authentication only carry the Server Authentication EKU.
Configure the default EKU setting for your public TLS certificates
If you are an administrator, use Server Authentication and Client Authentication as your default EKU setting for your TLS certificates.
- In the CertCentral menu, go to Settings > Product Settings. On the Product Settings page, select the TLS certificate.
- To configure its default EKU setting, in the Default Extended Key Usage menu, select Server Authentication and Client Authentication. Then select Save Settings.
Learn more about updating the default EKU option selection for your public TLS certificate.
CertCentral and CertCentral Services API customers
When enrolling for public TLS certificates via CertCentral and Services API, you must choose to include the Server Authentication and Client Authentication EKUs in your certificate. See our Extended key usage (EKU) options article.
Certificate Issuing Service (CIS) customers
If using CIS and still need the Client Authentication EKU beyond October 1, contact your account manager or Globally SSL Certificate Support no later than September 3, 2025. That way, Globally SSL Certificate can customize your profile to accommodate your request to continue including the Client Authentication EKU and Server Authentication EKUs in your public TLS certificates.
On May 1 ,2026
Globally SSL Certificate will fully remove the Client Authentication EKU from our public TLS certificate issuance process for all certificates, including renewals, reissues, and duplicate certificates. The option to choose the Client Authentication EKU during enrollment for public TLS certificates will no longer be available.
How does this affect you?
After May 1, 2026, public TLS certificates issued by Globally SSL Certificate will no longer be usable for client authentication. This change will not affect your existing TLS certificates with the Client Authentication EKU issued before May 1, 2026. These existing certificates will remain trusted until they expire.
If you require the Client Authentication EKU beyond May 1, 2026, see What do you need to do below.
Why is Globally SSL Certificate issuing public TLS certificates with only the Server Authentication EKU from dedicated TLS root hierarchies?
Google Chrome Root Program requires Certificate Authorities to use dedicated TLS root hierarchies to improve security and compliance. The Chrome root store policy does not apply to other PKI use cases, such as Client Authentication and Code Signing.
Google Chrome Root Program requires Certificate Authorities to use dedicated TLS root hierarchies to improve security and compliance. The Chrome root store policy does not apply to other PKI use cases, such as Client Authentication and Code Signing.
Timeline of events with Chrome policy and Globally SSL Certificatet transition plan
| Change | Chrome Policy | Globally SSL Certificate transition plan |
| Extended Key Usage (EKU) | Prior to June 15, 2026
Both Server and Client Authentication EKUs can be included in TLS certificates. | October 1, 2025
|
| Starting June 15, 2026
Only Server Authentication EKU can be included in TLS certificates. | May 1, 2026
Fully remove the Client Authentication EKU from newly issued public TLS certificates (new, renewals, reissues, and duplicates). | |
| PKI Hierarchy | Prior to June 15, 2026
TLS certificates may be issued from multipurpose root hierarchies. |
What do you need to do?
- Securing website only (HTTPS)
If using your SSL/TLS certificates solely for securing websites (HTTPS), then no action is required. However, Globally SSL Certificate recommends reviewing your TLS certificate process to verify it only includes securing websites.
- Mutual TLS (mTLS), server-to-server authentication, or other authentication use cases
If your organization requires the Client Authentication EKU in your Globally SSL Certificate TLS certificates for mTLS or server-to-server authentication, then action is required. Globally SSL Certificate has excellent options available for our customers and partners who require the client authentication EKU beyond May 1, 2026.
X9 PKI for TLS certificates
- Transition to Globally SSL Certificate’s X9 PKI for TLS certificates to secure communications involving multiple organizations. Regulated by the ASC X9 standards body, X9 PKI is governed by an independent certificate policy unaffiliated with the browsers, but that ensures interoperability by using a common root of trust. X9 PKI for TLS certificates can have both client and server authentication EKUs, meeting today’s unique need for control, security, flexibility, and scalability with encryption, identity, and cross-certification capabilities. Learn more about X9 PKI and schedule a consultation.
Private trust
Transition to PKI as a service for business needs that are strictly internal. Globally SSL Certificate can configure and operate a private PKI for your organization, leveraging our operational expertise and investments in security.
FAQ
mTLS, also known as Mutual TLS or server-to-server authentication is a type of authentication that ensures both the client and server authenticate each other using digital certificates. Historically, TLS certificates have been used for both the client authentication as well as server authentication, a practice that is being deprecated.
Globally SSL Certificate will no longer include the Client Authentication Extended Key Usage (EKU) in newly issued publicly trusted SSL/TLS certificates.
Effective April 7, 2025, the Client Authentication EKU will no longer be included in the eIDAS QWAC certificates. No exceptions will be granted after this date. Other certificates of SSL/TLS type will remain unaffected at this point.
Effective October 14, 2025, the Client Authentication EKU will no longer be included by default.
Effective May 15, 2026, the Client Authentication EKU will be permanently removed from all newly issued SSL/TLS certificates. No exceptions will be granted after this date.
The phased approach is designed to give organizations time to assess their use cases, plan their migration, and implement alternative solutions like Private PKI for Client Authentication use cases.
- The October 14, 2025 deadline provides an initial transition period, where most new certificates will not include the Client Authentication EKU by default. Exceptions to this deadline can be made by Globally SSL Certificate on a case by case basis.
- The May 15, 2026 hard deadline marks the final cutoff, after which no new SSL/TLS certificates issued by Globally SSL Certificate will include the Client Authentication EKU under any circumstances.
This timeline aligns with industry requirements and Globally SSL Certificate’s commitment to helping customers make a smooth transition without service disruption.
An earlier enforcement date for eIDAS QWAC certificates derives from the request of the majority of our European customers who are using platforms like Chorus Pro in EDI mode, which already require the removal of Client Authentication EKU.
The Client Authentication EKU is an extension within a digital certificate that allows it to be used for authenticating clients to servers, commonly as part of mutual TLS (mTLS), server-to-server authentication, and other Client Authentication scenarios.
- April 7, 2025: Globally SSL Certificate has stopped including the Client Authentication EKU in eIDAS QWAC certificates, with no exceptions.
- October 14, 2025: Globally SSL Certificate will stop including the Client Authentication EKU in SSL/TLS certificates by default.
- May 15, 2026: Globally SSL Certificate will no longer include the Client Authentication EKU in any SSL/TLS certificates. This is a hard deadline, with no exceptions.
No changes are being made at this time to Globally SSL Certificate’s S/MIME certificates.
- Multipurpose S/MIME certificates will continue to support the Client Authentication EKU.
- Strict profile S/MIME certificates do not support Client Authentication EKU and remain unchanged.
Globally SSL Certificate recommends against using publicly trusted certificates for Client Authentication purposes.
If you are using certificates in mutual TLS (mTLS) configurations or for server-to-server authentication, you are likely relying on the Client Authentication EKU. If you are unsure, we recommend reviewing your current certificate deployment or contacting Globally SSL Certificate for assistance.
Globally SSL Certificate offers Private CA solutions that support Client Authentication EKUs for internal use cases like mTLS. Our team can help assess your needs and design a migration plan that ensures continued authentication functionality.
Major browser and root program providers have introduced new security requirements that prohibit the inclusion of the Client Authentication EKU in publicly trusted SSL/TLS certificates. These changes are designed to reinforce certificate purpose specificity and improve ecosystem security.
If your organization does not use Globally SSL Certificate SSL/TLS certificates for mTLS, mutual TLS, or server-to-server authentication, no action is required.
If your organization does use SSL/TLS certificates for Client Authentication purposes, you will need to transition to an alternative solution, such as a Private CA.
Globally SSL Certificate recommends migrating Client Authentication use cases to a Private PKI (Private CA) solution. A Private CA allows you to control certificate issuance policies, including the use of the Client Authentication EKU, and offers more flexibility for mTLS and server-to-server authentication scenarios.
After May 15, 2026, Globally SSL Certificate SSL/TLS certificates will no longer include the Client Authentication EKU and cannot be used for mTLS or other Client Authentication use cases.
To avoid disruption, we recommend transitioning to Private CA-issued certificates well in advance of this date.
- Assess whether you are using Globally SSL Certificate SSL/TLS certificates for Client Authentication purposes, including mTLS or server-to-server authentication.
- If so, contact Globally SSL Certificate sales representatives to explore Private CA options.
- Plan your migration ahead of the October 14, 2025 soft deadline to avoid disruption.
If you have any questions or need assistance, please reach out to us at: support@yi.com.pk
Yes, this change applies to both new certificates and reissued or renewed certificates.
After October 14, 2025, any new, renewed, or reissued SSL/TLS certificates will no longer include the Client Authentication EKU by default.
After May 15, 2026, the Client Authentication EKU will not be included in any newly issued SSL/TLS certificates—whether they are new requests, renewals, or reissuances.
If you require certificates with Client Authentication functionality beyond these dates, you should transition to a Private CA solution.
Yes. SSL/TLS certificates that were issued before the deprecation deadlines and include the Client Authentication EKU will continue to work as they were issued—until they expire or are revoked.
This change only applies to newly issued certificates starting April 07, 2025 for eIDAS QWAC and starting October 14, 2025 for other SSL/TLS certificates.
