Login

u/CyphrsHub

r/PKI r/cybersecurity r/sysadmin
▲ 2 r/cybersecurity

Public CAs are exiting client authentication. Most organisations haven't inventoried what depends on it.

The Chrome root program update on 15 June, combined with LE's 8 July tlsclient sunset, removes the Client Authentication EKU from public TLS leaf certs. Six weeks from now, public CAs are server-auth only.

Most teams know this. Most teams haven't inventoried what client-cert flows they actually have. The ones that fail will fail silently, dependent on how each relying party validates EKU presence.

Worth a 30-minute scan against your fleet before something else absorbs the time.

reddit.com
u/CyphrsHub — 13 days ago
▲ 10 r/PKI

Why public CAs are dropping ClientAuth, and what it means for renewal authority

Reflecting on the Chrome root program update (Section 3.2, effective 15 June) and LE's tlsclient sunset on 8 July: the structural separation of TLS server-auth and client-auth into distinct PKIs isn't just a Chrome policy choice – it's the inevitable end of the "one cert for everything" era.

What it changes in practice:

  • Path validation behaviour on relying parties depends on EKU enforcement. RFC 5280 §4.2.1.12 is permissive at the issuer but restrictive at the receiver.
  • Renewal authority for client-cert populations currently anchored to a public CA needs a destination CA – ADCS or a dedicated private root.
  • Acceptance evidence is the bottleneck. You need to know which devices actually validate the chain change.

Interested whether anyone here is treating this as a forcing function to rethink renewal authority more broadly, or just doing a like-for-like swap.

reddit.com
u/CyphrsHub — 13 days ago
▲ 6 r/sysadmin

ClientAuth EKU exits public TLS certs in 18 days. Is your fleet ready?

Worth knowing alongside the Secure Boot remediation work: the Client Authentication EKU is being removed from public TLS leaf certs across LE, DigiCert, Sectigo, and GlobalSign. LE pulled it from the default ACME profile in February. The dedicated tlsclient profile (their graceful migration option) sunsets 8 July. Chrome's root program effectively forces it by 15 June with a requirement that TLS client and server auth live in separate PKIs.

Practical impact: if you're using a public CA cert as device identity on a domain-joined PC for an IPsec dial-up VPN, or as the client cert in some service-to-service mTLS the network team set up two years ago, that's going to silently start failing depending on how the relying party validates EKUs.

Anyone else folding an EKU inventory into their cert deadlines work this summer?

reddit.com
u/CyphrsHub — 13 days ago