ZeroSSL is introducing a new intermediate certificate to comply with upcoming changes in the Google Chrome Root Program. Chrome is ending support for “dual use” certificates that contain both Server Authentication and Client Authentication EKUs. From June 15, 2026, Chrome will only trust certificates issued from server‑authentication‑only public CA hierarchies.
ZeroSSL removed the Client Authentication EKU from newly issued certificates starting October 14, 2025 to align with these requirements.
Why this change is required
Google Chrome’s updated policy disallows publicly trusted certificates that include the id-kp-clientAuth EKU. Public certificates must now serve one purpose only: authenticating servers for HTTPS. Certificates containing ClientAuth EKU issued after June 15, 2026 will be untrusted in Chrome.
To comply with this, ZeroSSL will introduce a new intermediate CA that supports serverAuth only.
How this affects ZeroSSL customers
1. Usage of ZeroSSL certificates for standard HTTPS
- No action is required if you use ZeroSSL certificates for the purpose of HTTPS (like the vast majority of our customers)
- All issued certificates remain valid until they expire
- However, check below if your workflow for future certificates might needs a change.
2. Using ZeroSSL certificates for mTLS or Client Authentication
- ZeroSSL certificates no longer contain the allowed purpose "Client Authentication" in the Extended Key Usage extension since last year.
- Public CA certificates may no longer be used for mTLS or device authentication.
- A private or internal CA is required for client authentication workflows.
How you obtain the new intermediate certificate
- ACME clients (such as acme.sh, Caddy, Certbot, and others) automatically receive the updated certificate chain.
- No configuration changes are needed unless you manually pinned or stored the old intermediate.
REST API responses provide both the leaf certificate and the CA bundle:
{ "certificate.crt": "---BEGIN CERTIFICATE---{primary_certificate}---END CERTIFICATE---",
"ca_bundle.crt": "---BEGIN CERTIFICATE---{certificate_bundle}---END CERTIFICATE---" }
- You will automatically receive the new intermediate in
ca_bundle.crt. - However, ZeroSSL cannot detect whether your system actually uses or parses that bundle.
- The zip archive you download already contains the intermediate certificate.
- Starting April 1, you will automatically receive the new intermediate in there.
- Make sure you are not using an outdated, manually saved bundle.
Important: Check your certificate workflow
To remain compliant with Chrome’s updated requirements, please verify the following:
- If you pinned the CA bundle or intermediate certificate, update your pins to the new intermediate.
- If your workflow only installs the leaf certificate (without the CA bundle), update your deployment process to include the new CA bundle.
- If your system stores older chain files locally, ensure they are replaced with the newly provided ones on or after April 1.
Need help?
If you have any questions about the new intermediate CA or how it affects your environment, please contact ZeroSSL Support.