Client Authentication in public SSL certificates: what changes from 2026 and which solutions to adopt

SSL Communications

APRIL 2026

Client Authentication in public SSL certificates: what changes from 2026 and which solutions to adopt

Starting from June 15, 2026, new rules issued by the Google Chrome Root Program will come into effect, impacting the use of Client Authentication (clientAuth) in public SSL/TLS certificates.
Specifically, server SSL certificates will no longer be allowed to include the EKU dedicated to client authentication, an essential element in mTLS (mutual TLS) contexts and in machine-to-machine communications.

Traditional web browsing will not be affected, but for some application integrations it will be necessary to evaluate suitable alternatives. In this article, we analyze the context, the reasons behind the change, and the solutions available through Actalis to ensure continuity and compliance.

Why Client Authentication is being deprecated in SSL certificates

The Chrome Root Program requires, starting from 06/15/2026, a clear separation between certificates:

  1. those dedicated to securing web servers via HTTPS,
  2. and those used to authenticate clients, devices, or services in mTLS scenarios.

More precisely, the Chrome Root Program does not recognize certificates other than those for SSL/TLS Server.

From 06/15/2026, public SSL certificates will no longer be able to include the clientAuth extension.
This means that an SSL certificate installed on a server will no longer be usable by that server to authenticate itself toward other servers requiring mTLS.

The change affects only machine-to-machine communications and does not impact the use of SSL certificates for standard web browsing.

Who the change is addressed to

Websites that use SSL certificates only to ensure HTTPS connections do not need to take any action: the clientAuth EKU is not required for this purpose and its absence has no consequences.

The change, however, affects:

  1. API integrations secured via mTLS,
  2. server-to-server communications,
  3. payment systems,
  4. devices and services that require authentication via a public certificate.

In these cases, it is necessary to replace current certificates with solutions suited to the intended use.

Actalis solutions to continue using clientAuth

    Analyzing use cases makes it possible to quickly identify the most suitable certificate.
    Below is an operational summary.

    1. If only clientAuth is required, and the certificate does NOT need to be trusted in browsers, the recommended solution is:

    • Actalis SSL Client Certificates
      This is the simplest and most natural choice for this type of need. These certificates have a specific profile for TLS Client Authentication and are fully exempt from browser vendor and CAB Forum requirements. Discover

    2. If only clientAuth is required but the certificate MUST be trusted in browsers, the recommended solution is:

    • Actalis S/MIME Certificates
      An S/MIME certificate can include clientAuth and is issued under a publicly trusted root. Discover

    3. If an SSL server certificate is required that also includes clientAuth and must be issued by a recognized CA, the recommended solution is:

    • QWAC Certificates

    for regulated scenarios or specific requirements where the certificate must be:

    1. an SSL server,
    2. include clientAuth,
    3. be issued by a recognized CA.

    These certificates are SSL Server certificates in all respects (they are issued in the same way), can include the clientAuth EKU, and are issued by a qualified CA included in the EIDAS Trust List, thus fully meeting the requirement. Discover

    How to prepare for the June 15, 2026 deadline

    To ensure operational continuity, we recommend:

    1. Mapping current certificate usage in mTLS flows.
    2. Verifying the presence of the clientAuth EKU.
    3. Identifying the correct type of certificate required, considering the guidance above.
    4. Planning the replacement of affected certificates in advance.
    5. Performing tests in demo environments before rollout.

    Conclusion

    The removal of the clientAuth EKU from public SSL certificates represents a significant change for architectures that use mTLS, while it has no impact on websites that only need to support standard user browsing.

    Actalis offers a complete range of certificates—SSL Client, S/MIME, and QWAC—to address any technical or regulatory requirement, ensuring service continuity and full compliance with new international requirements.

    To further explore the scenario or evaluate the most suitable certificate, the Actalis team is available for dedicated support.

    Free and unlimited DV certificates: Actalis becomes Europe’s reference point for ACME-based web security Go to the previous news
    Product added to compare.