What’s Changing?
Google is updating its Chrome Root Store Policy (v1.6) so that publicly‑trusted SSL/TLS certificates issued on or after June 15, 2026, can only include the serverAuth extended key usage (EKU). Certificates that also include clientAuth (used for client authentication in mutual TLS) will no longer be trusted by Chrome
Key Dates to Know
| Date | Requirement |
| June 15, 2025 | Chrome Root Store stops accepting new intermediate CAs that combine serverAuth + clientAuth . |
| Sept 15, 2025 | Recommended deadline for CAs to shift to dedicated server-auth PKI hierarchies . |
| June 15, 2026 | All new public SSL certs must include only serverAuth; legacy certs remain valid until they expire . |
Why This Matters
- Browser Security & Trust: Separating server and client authentication in certificate chains enhances trust and reduces security risks
- CA Industry Alignment: Major CAs like DigiCert, Let’s Encrypt, and Sectigo are phasing out clientAuth in line with Chrome’s timeline
What You Need to Do
If You Only Use SSL for Websites:
No action needed. Your current certificates with serverAuth are unaffected.
If You Use Client Certificates (e.g., mTLS or server-to-server):
You must migrate client authentication away from these mixed-use public certs. Two primary alternatives:
1 – Issue a separate, public client auth certificate
Use S/MIME or clientAuth-only certs from public CAs specifically meant for client authentication
2 – Switch to a private CA for client authentication
Best suited for internal mTLS or server-to-server scenarios. Chrome’s policy doesn’t affect private CAs .
CA Rollout Plans
DigiCert: Stops including clientAuth by default from Oct 1, 2025; removes it entirely by May 1, 2026.
Let’s Encrypt: Phased rollout—default no clientAuth from Feb 11, 2026; completely removed by May 13, 2026
Sectigo: Phasing out from Sept 15, 2025; fully removed by May 15, 2026
Why Google Is Enforcing This
- Simplifies PKI management by avoiding “Swiss army” certificates.
- Limits attack surface—restricts permissions and trust chains to one use.
- Reinforces PKI integrity, separating public and private CAs’ responsibilities
Final Takeaway
- Public certs issued after June 15, 2026: only serverAuth EKU allowed.
- Legacy certs: Still valid until expiry—even if including clientAuth.
- Action needed only if you’re using certificates for client authentication.
- Solutions: Obtain dedicated client auth certs or build a private CA.
This transition may seem technical, but it’s a major step in modernising web security. If your setup involves mutual TLS or client-auth, start planning your migration now to ensure smooth operations by mid‑2026.
Need help choosing client certificate options or setting up a private CA? Just ask!
