Sectigo, one of the world's leading certificate authorities, has announced a significant update to its SSL/TLS certificate policy. Starting October 7, 2025, newly issued, renewed, or reissued SSL/TLS certificates will no longer include the Client Authentication function.
This change is part of a broader industry shift—also seen with other CAs like DigiCert, which made a similar move in October—to decouple client authentication from standard TLS certificates. The goal is to streamline certificate use and align with modern security practices, especially as major browsers like Google Chrome phase out support for certain legacy authentication methods.

What Does This Mean for Most Users?
For the vast majority of SSL/TLS certificate holders—those using certificates to secure websites with HTTPS—this change will have no impact. Your sites will continue to operate securely without any required action.

Who Is Affected?
A small subset of organizations that use SSL/TLS certificates for mutual authentication (mTLS)—often for server-to-server communication, API security, or internal service authentication—will be impacted. In these setups, both the client and the server present certificates to verify each other's identity.
With client authentication being removed from standard TLS certificates, these users will now need two separate certificates to achieve the same level of security: one for server authentication (HTTPS) and another, typically issued by a Private Certificate Authority (Private CA), for client authentication.

Why Is This Happening?
The move is largely driven by evolving web standards and browser policies. Google Chrome, for example, has been pushing to simplify and strengthen TLS implementation by reducing dependency on multipurpose certificates. By separating client authentication, CAs can improve security clarity and reduce the risk of misconfiguration.

What Should You Do?
If you're unsure whether your organization uses client authentication, now is the time to review your certificate setup. If you rely on mTLS, you'll need to:
- Migrate to a Private CA for client certificates
- Ensure your systems are configured to handle two certificates where needed
- Plan ahead to avoid service disruption

Key Dates to Remember
- October 7, 2025: Client Authentication removed from new, renewed, or reissued SSL/TLS certificates.
- May 15, 2026: Client Authentication will no longer be supported in any newly issued SSL/TLS certificates.

Final Thoughts
While this may sound like a big change, for nearly all website owners and businesses using SSL/TLS for HTTPS, nothing will change.
For the small fraction of users implementing mutual authentication, now is the time to plan ahead — explore private CA options and prepare for a future where client authentication is managed independently from TLS.

References & Further Reading:
1. Sectigo Official Announcement: Deprecation of Client Authentication EKU
2. DigiCert Knowledge Base: Sunsetting Client Authentication EKU