Hello Experts, This is regarding the Ending TLS Client Authentication Certificate Support in 2026. We have deployed Cisco Expressway X15.0 and we continue to use the certificates for TLS and mTLS handshake.
How do I switch from the "default Classic ACME" profile to "tlsClient ACME" profile? Does it require product changes in Expressway?
Profiles must be supported by the ACME client. So if Expressway has it's own embedded ACME client implementation, yes. It would likely require a product change to support it or at least expose the option if it's using a standard client under the hood.
But if you're using an ACME client outside of Expressway to obtain the cert, that client may already have Profile support. We'd just need to know what client that is to provide guidance.
Thanks for the quick response! Currently Expressway supports only the "Classic" ACME profile which is hardcoded in the product. Since the Classic profile will not contain Client EKU, customers will be impacted and hence checking how can they move to tlsclient profile untill May 2026, to give the extra window. Thanks
If your client doesn’t support requesting a profile, you’ll need to use another one which does.
Thanks! If the product doesn't support requesting for "TLSclient' profile do we have external means to do so outside Expressway? We have a shorter window to make any changes in Expressway deployment (any upgrade) and hence checking if we have other means to request for the tlsclient profile.
That sounds like a question for Expressway.
You may be able to use another acme client on another system, get a certificate, and upload it to the software, but I don’t know anything about Expressway so can’t provide specific advice.
Thank you for your response
Also do note that the tlsclient profile is just a temporary solution, it will cease to exist on May 13.
It just gives you 3 more months to either move away from (your dependency on) TLS Client Auth EKU completely, or migrate to another CA that offers dedicated TLS client certificates (under a separate PKI as required by recent Root CA policies).
Good morning. Since Google is kicking this issue into 2027 will Let's Encrypt continue to sign automated requests using both client and server EKU at this time?
Cisco advised folks to disable ACME due to the original timeline since even though May 13 was a hard stop there was a risk of server only EKU renewal after Feb 11, 2026.
Can you please confirm or provide an update?
This post in the API Announcement section provides the latest news. The Client EKU is no longer included in LE certs except if you use the tlsclient profile
There has been no announcement about extending the use of the tlsclient profile. If you haven't yet please see this blog post linked earlier: Ending TLS Client Authentication Certificate Support in 2026 - Let's Encrypt
Do you have a reference for this?
Edit: apparently this is a change in the Chrome Root Program Policy version 1.8 (compared to version 1.7).
With the Recent changes to the Chrome Root Program v1.8, push back the date for removal of the ClientAuth EKU in subscriber certificates to: March 15th 2027. Will LetsEncrypt continue to support Server and Client EKU(combined) with "Classic" and "Client" profiles for an extended time?
The ClientAuth EKU has been removed from the classic profile, and I would not expect Let's Encrypt to add it back.
Maybe they'll make it so the tlsclient profile stays available for longer, but even that seems unlikely to me. Some organisations would just use it as an excuse to kick the can down the road and then proceed to forget to prepare for when the tlsclient profile becomes unavailable.
Holding to the current schedule does make it tight for many customers, changes like these are costly and resource intensive so I understand why folks wait.
Cisco has released an interim X15.4 build for the Expressways to 'make this work', but the actual fix won't be available until May.
So, if you're going to keep ACME enabled, seems you have to upgrade the Expressways now and test the interim build. Else opt in to the tlsclient profile and turn off ACME ahead of the March deadline to extend validity, and hope Cisco releases the actual fix before that cert expires.