Sectigo and PositiveSSL client authentication EKU

From 07 OCTOBER 2025 deprecation of the client authentication EKU will take place from all SSL/TLS certificates. This is in response to the browser forum requirements to remove support. From 15 MAY 2026 all publicly trused certificates from any CA will no longer support client authentication EKU.

From 21 NOVEMBER 2025 Servertastic has enabled client authentication on all Sectigo and PositiveSSL and these certificates will still be issued with the client authentication EKU in place until 15 MAY 2026.

If you use your certificate for mTLS server-to-server or client-to-server authenticaiton then you will be impacted. After the 15 MAY 2026 you should consider transitioning to a private CA. Contact our sales team about options available.