12:10 p.m.
TCS-medlemmar,
information från GEANT angående kommande borttagning av
clientAuth från "extended key usage" i servercertifikat.
Motsvarande ändringar sker hos andra CAs (Let's Encrypt, Sectigo osv)
innan deadline.
Ändringar påverkar inte användning som servercertifikat, men om ni
har använt servercertifikat för att autentisera som klient vid
uppkoppling mot en server kan ni behöva göra annorlunda framöver.
Kontakta tcs(a)sunet.se om ni har konkreta funderingar om något
användningsfall hos er.
Subject: [tcs] Information on removal of clientAuth
EKU from TLS certificates
Date: Mon, 5 Jan 2026 23:28:29 +0000 (1 day, 11 hours, 34 minutes ago)
Dear All
You may be aware of information relating to the removal of clientAuth
EKU from TLS certificates. EKU stands for “extended key usage” and
defined permissions for how different certificate types could be used
for additional purposes - the most common being allowing Server
Authentication and Client Authentication Extended Key Usages in public
trust certificates by default. To avoid misconfiguration, misuse, and
policy violations, the CA/B Forum decided that from May 2026 onward,
publicly trusted CAs will not issue TLS certificates containing the
ClientAuth EKU.
We are working with HARICA to determine a date as to when these will
be removed from our certificates, but this will be in line with the
May 2026 date. This should have no overall impact on the validity of
certificates used for server authentication only. Any new public
SSL/TLS certificates issued on or after June 15, 2026 must include
ONLY the serverAuth EKU. Certificates issued prior to this date will
remain valid until their expiration (unless revoked beforehand).
For client authentication, we strongly recommend that our community
use the client certificates tagged as “IGTF certificates” in the
HARICA portal. On behalf of myself and the PMA we acknowledge a
mistake in naming these on our part - in the final days of the Sectigo
contract we had realigned and renamed client certificates as GÉANT
Personal Authentication and should have used this nomenclature moving
over to the HARICA contract but fell back on old habits. I will be
working with HARICA to better position these certificates and rename
them in a way that is more useful for our community.
I hope that all makes sense but if you need further information or clarification please
do not hesitate to reach out.
Many thanks
Nicole
--
Nicole Harris
Senior Trust and Security Manager
GÉANT
--
Kent Engström, Sunet TCS
kent.engstrom(a)liu.se, +46 13 28 4444