DigiCert Extends ClientAuth EKU Sunset Date to March 2027

DigiCert has announced an extended timeline for removing the Client Authentication (clientAuth) Extended Key Usage (EKU) from its public SSL/TLS certificates. The new deadline is March 1, 2027, moved back from the previously announced May 1, 2026, giving affected organizations 12 months to prepare for the transition.

The updated schedule aligns with the revised Google Chrome root program policy, which mandates the removal of clientAuth EKU from publicly trusted TLS certificates.

What this means in practice: you can continue obtaining public SSL/TLS certificates with the clientAuth EKU for an additional year compared to the original timeline. After March 1, 2027, certificates issued by DigiCert (including DV, OV, and EV types) will no longer include this capability. This applies across all DigiCert brands: DigiCert, GeoTrust, Thawte, and RapidSSL.

If your infrastructure relies on clientAuth in public TLS certificates, use the extended timeline to plan your migration to private PKI solutions.