TCS-medlemmar,
information från GEANT angående kommande borttagning av
clientAuth från "extended key usage" i servercertifikat.
Motsvarande ändringar sker hos andra CAs (Let's Encrypt, Sectigo osv)
innan deadline.
Ändringar påverkar inte användning som servercertifikat, men om ni
har använt servercertifikat för att autentisera som klient vid
uppkoppling mot en server kan ni behöva göra annorlunda framöver.
Kontakta tcs(a)sunet.se om ni har konkreta funderingar om något
användningsfall hos er.
> Subject: [tcs] Information on removal of clientAuth EKU from TLS certificates
> Date: Mon, 5 Jan 2026 23:28:29 +0000 (1 day, 11 hours, 34 minutes ago)
>
> Dear All
>
> You may be aware of information relating to the removal of clientAuth
> EKU from TLS certificates. EKU stands for “extended key usage” and
> defined permissions for how different certificate types could be used
> for additional purposes - the most common being allowing Server
> Authentication and Client Authentication Extended Key Usages in public
> trust certificates by default. To avoid misconfiguration, misuse, and
> policy violations, the CA/B Forum decided that from May 2026 onward,
> publicly trusted CAs will not issue TLS certificates containing the
> ClientAuth EKU.
>
> We are working with HARICA to determine a date as to when these will
> be removed from our certificates, but this will be in line with the
> May 2026 date. This should have no overall impact on the validity of
> certificates used for server authentication only. Any new public
> SSL/TLS certificates issued on or after June 15, 2026 must include
> ONLY the serverAuth EKU. Certificates issued prior to this date will
> remain valid until their expiration (unless revoked beforehand).
>
> For client authentication, we strongly recommend that our community
> use the client certificates tagged as “IGTF certificates” in the
> HARICA portal. On behalf of myself and the PMA we acknowledge a
> mistake in naming these on our part - in the final days of the Sectigo
> contract we had realigned and renamed client certificates as GÉANT
> Personal Authentication and should have used this nomenclature moving
> over to the HARICA contract but fell back on old habits. I will be
> working with HARICA to better position these certificates and rename
> them in a way that is more useful for our community.
>
> I hope that all makes sense but if you need further information or clarification please do not hesitate to reach out.
>
> Many thanks
>
> Nicole
>
> --
> Nicole Harris
> Senior Trust and Security Manager
> GÉANT
--
Kent Engström, Sunet TCS
kent.engstrom(a)liu.se, +46 13 28 4444
