The timeline for ending "classic" profile with Client Auth EKU support and changing the default to "tlsserver" in the production environment (ending Feb 2026) has been published here:
Could you please provide a similar timeline for the Staging environment? Specifically, I'm interested in knowing when the default profile is going to drop Client Auth EKU support, as we would like to test how our client handles the switch.
In case you asked, yes, we are able to test it by changing the profile by hand, yet the change on the API side is one of the bullet points we'd like to make sure about.
How did you come to the conclusion that the "classic" profile would go away?
The thing changing for classic in February 2026 is the removal of the TLS Client Auth EKU on newly issued certificates (which the tlsserver profile already doesn't include).
We haven’t decided on specific dates at this time, but it will be something like a few weeks earlier in staging.
We need to balance getting changes tested in staging before going to production along with not having staging drift too far off, as that starts to make it less good at testing anything else happening that needs to go out.