Removal of Client Authentication EKU from SSL Certificates
Starting October 14, 2025, all newly issued and renewed SSL certificates from ZeroSSL will no longer include the Client Authentication EKU (id-kp-clientAuth). This change aligns with evolving industry standards, led by enforcement from Google Chrome and expected adoption by other major browsers.
The goal is to ensure certificates are used strictly for their intended purpose—securing HTTPS connections—and not for unintended authentication scenarios.
💡 What is EKU?
EKU (Extended Key Usage) defines the specific functions a certificate can perform.
The id-kp-clientAuth EKU is typically used for client authentication in mutual TLS (mTLS). Removing it helps prevent misuse of certificates for purposes beyond secure web communication.
👉 More information can be obtained here.
❔ What Does This Mean for You?
You are not affected by this change.
The vast majority of ZeroSSL users rely on certificates to secure websites—ensuring encrypted communication between browsers and servers via HTTPS. This is exactly what SSL certificates are designed for, and this change does not impact that functionality in any way.
Your certificates will continue to work seamlessly for:
- Securing public websites and web applications
- Protecting user data in transit
- Maintaining browser trust and compatibility
No action is required on your part. You can continue issuing and renewing certificates as usual.
You will be affected. Certificates issued after October 14, 2025, will no longer support client authentication via EKU. You may need to explore alternative solutions or consult your integration provider.
ZeroSSL issued certificates may have been utilized for client authentication; however, this use case was never formally supported or promoted as part of our product offering.