Ending TLS Client Authentication Certificate Support in 2026

mcpherrinm · May 14, 2025, 3:01pm

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.

To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles.

For the full details and schedule, please see our blog post.

mcpherrinm · September 25, 2025, 6:12pm

As described in the blog post, the tlsclient profile is now available in staging and will be made available in production on October 1st.

It is currently the same as the classic profile. Anyone who will need more time to migrate can use that profile until May 13, 2026.

mcpherrinm · October 1, 2025, 6:28pm

The tlsclient profile is now available in production.

It is currently the same as the classic profile. Anyone who will need more time to migrate can use that profile until May 13, 2026.

Topic		Replies	Views
How do we verify if we are affected by the last announcement? Help	7	240	June 13, 2025
Upcoming Changes to Let’s Encrypt Certificates API Announcements	1	28810	December 19, 2025
Staging API timeline for default issuance profile changes Issuance Policy	8	217	October 25, 2025
Certificates with single EKU Issuance Policy	9	474	March 27, 2025
Removal of Client EKU Clarification Help	3	171	August 8, 2025

Ending TLS Client Authentication Certificate Support in 2026

Related topics