CertiSur
Control Panel
SSL / TLS September 19, 2025

Changes in public TLS certificates: what you need to know and how to prepare

The digital certificate ecosystem is in constant evolution, and it is important that organizations stay informed about the changes that impact their security and operational continuity.

Cambios en certificados TLS públicos: qué debés saber y cómo prepararte

Starting from October 1, 2025 , public TLS certificates will no longer include by default the Client authentication EKU . From that date, these certificates will be issued exclusively with the server authentication EKU.

On a temporary basis, until May 1, 2026 , it will still be possible to manually select the client authentication option in the public TLS/SSL certificate issuance process. However, from that moment on, this possibility will be permanent retirement , both for new issuances and for renewals, reissuances, and duplications.

What does this change imply?

The elimination of the client authentication EKU in public TLS certificates responds to the need to align market practices with browser standards and regulatory bodies. For organizations that still use this type of authentication, it will be key to plan in advance the transition towards alternatives that guarantee security and interoperability.

Available options for your organization

At CertiSur we support you in this adaptation process and put different solutions at your disposal:

  • PKI X9 for TLS certificates
    Allows you to maintain the use of client authentication EKU under an independent certificate policy with the backing of a common trust root. It provides control, flexibility, and scalability for complex environments.

  • PKI as a service
    An alternative designed for internal needs. We configure and manage a private PKI for your company, backed by our operational experience and first-class security standards.

  • Trust Lifecycle Manager
    A detection and automation tool that facilitates the management of your certificate lifecycle, helping you identify changes, mitigate risks, and modernize your digital trust infrastructure.

How to proceed

If your organization depends on client authentication EKU, this is the time to evaluate alternatives and design a safe migration strategy.

At CertiSur we are ready to advise you and help you implement the most suitable solution for your case.

Do you have questions or want to talk to a specialist?
Contactanos en sales@certisur.com and let's work together on the transition plan.

← Back to news