The timeline for ending "classic" profile with Client Auth EKU support and changing the default to "tlsserver" in the production environment (ending Feb 2026) has been published here:
Could you please provide a similar timeline for the Staging environment? Specifically, I'm interested in knowing when the default profile is going to drop Client Auth EKU support, as we would like to test how our client handles the switch.
In case you asked, yes, we are able to test it by changing the profile by hand, yet the change on the API side is one of the bullet points we'd like to make sure about.
How did you come to the conclusion that the "classic" profile would go away?
The thing changing for classic in February 2026 is the removal of the TLS Client Auth EKU on newly issued certificates (which the tlsserver profile already doesn't include).
We haven’t decided on specific dates at this time, but it will be something like a few weeks earlier in staging.
We need to balance getting changes tested in staging before going to production along with not having staging drift too far off, as that starts to make it less good at testing anything else happening that needs to go out.
@aarongable Thanks, we're aware of that. That's basically one of our checkpoints in testing the migration away from 2EKU certs, to confirm it works with Staging Let's Encrypt ACME, hence the question. We test with Pebble locally and use tlsserver profile, however wanted to test the behavior live when 2EKU profile becomes 1EKU at some point.
As far as Staging timeline is concerned, do you think 2EKU -> 1EKU for 'classic' is more likely to happen in December '25 or rather January?
Without committing to a specific date, I'd say it's much more likely that Staging's classic profile will change in January.
It's possible (likely, even) that Staging's profile won't change until February, as our committed date for the Production change isn't until the second week of Feb.