Also, the WebPKI as a whole (as shepherded by the CA/Browser Forum) has been moving away from allowing the TLS Client Auth Extended Key Usage to appear in publicly-trusted certificates. It'll probably still be a while before they get banned, but the ecosystem is certainly moving in that direction, so I'd advise against adding reliance of the Client Auth EKU in publicly-trusted certs today. We'll likely phase it out of the certs we issue sometime in the next few years.
8 Likes