Subject: [tcs] Information on removal of clientAuth EKU from TLS certificates Date: Mon, 5 Jan 2026 23:28:29 +0000 (1 day, 11 hours, 34 minutes ago) Dear All You may be aware of information relating to the removal of clientAuth EKU from TLS certificates. EKU stands for “extended key usage” and defined permissions for how different certificate types could be used for additional purposes - the most common being allowing Server Authentication and Client Authentication Extended Key Usages in public trust certificates by default. To avoid misconfiguration, misuse, and policy violations, the CA/B Forum decided that from May 2026 onward, publicly trusted CAs will not issue TLS certificates containing the ClientAuth EKU. We are working with HARICA to determine a date as to when these will be removed from our certificates, but this will be in line with the May 2026 date. This should have no overall impact on the validity of certificates used for server authentication only. Any new public SSL/TLS certificates issued on or after June 15, 2026 must include ONLY the serverAuth EKU. Certificates issued prior to this date will remain valid until their expiration (unless revoked beforehand). For client authentication, we strongly recommend that our community use the client certificates tagged as “IGTF certificates” in the HARICA portal. On behalf of myself and the PMA we acknowledge a mistake in naming these on our part - in the final days of the Sectigo contract we had realigned and renamed client certificates as GÉANT Personal Authentication and should have used this nomenclature moving over to the HARICA contract but fell back on old habits. I will be working with HARICA to better position these certificates and rename them in a way that is more useful for our community. I hope that all makes sense but if you need further information or clarification please do not hesitate to reach out. Many thanks Nicole -- Nicole Harris Senior Trust and Security Manager GÉANT