Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles.
For the full details and schedule, please see our blog post.
11 Likes
As described in the blog post, the tlsclient profile is now available in staging and will be made available in production on October 1st.
It is currently the same as the classic profile. Anyone who will need more time to migrate can use that profile until May 13, 2026.
13 Likes
The tlsclient profile is now available in production.
It is currently the same as the classic profile. Anyone who will need more time to migrate can use that profile until May 13, 2026.
8 Likes
In our staging environment, Certificates issued with the classic profile no longer contain the “TLS Client Authentication” Extended Key Usage (EKU).
As previously announced, this change will be made in production on February 11th.
9 Likes
Certificates issued with the classic profile no longer contain the “TLS Client Authentication” Extended Key Usage (EKU).
If you require encounter breakage, you can opt-in to the tlsclient profile until May 13, 2026 to receive certificates
15 Likes