Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Workload Identity M...
Dual-EKU TLS deprec...
 
Notifications
Clear all

Dual-EKU TLS deprecation: what it means for client auth and mTLS

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 8151
Topic starter 24/06/2026 7:07 pm  

TL;DR: Browsers led by Google are ending support for dual-EKU public TLS certificates, which will remove ClientAuth from browser-trusted roots and force organisations to redesign mTLS and other client-authentication patterns, according to DigiCert. The shift exposes how much enterprise trust infrastructure depended on certificates doing two jobs at once.

NHIMG editorial — based on content published by DigiCert: What the End of Dual-EKU TLS Means for ClientAuth and mTLS

Questions worth separating out

Q: What breaks when public TLS certificates stop supporting client authentication?

A: Applications that depended on dual-purpose public certificates will lose a simple path for mTLS and client authentication.

Q: When should organisations use private PKI instead of public certificates for client auth?

A: Private PKI is usually the better fit when client authentication is limited to internal systems, administrative access, or services that do not need browser trust.

Q: How do security teams know whether mTLS needs a redesign?

A: If mTLS depends on certificates that were issued for both server and client use, the design needs review.

Practitioner guidance

  • Inventory dual-EKU dependencies Identify every application, service, and partner flow that still relies on a public certificate carrying both serverAuth and clientAuth.
  • Separate client authentication from server TLS policy Create distinct certificate profiles for server authentication and client authentication, and stop treating one certificate template as a universal trust object.
  • Choose private PKI for internal-only identities Move internal services and administrative interfaces that never cross the internet to private PKI where you control subject naming, issuance rules, and lifetime.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Browser-root policy context for why dual-EKU certificates are being phased out
  • How DigiCert X9 PKI is positioned for client authentication outside the Web PKI
  • Operational reasons internal PKI can be the better fit for internal-only services
  • Planning considerations for organisations that need certificate agility, including PQC readiness

👉 Read DigiCert's analysis of the end of dual-EKU TLS for clientAuth and mTLS →

Dual-EKU TLS deprecation: what it means for client auth and mTLS?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
digicert workload-identity mtls public-pki certificate-lifecycle
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  digicert (376) , workload-identity (308) , mtls (5) , public-pki (1) , certificate-lifecycle (99) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.