UPDATE – “Upcoming changes regarding TLS Client Authentication in TLS Server Authentication Certificates”

Updated Feb 17, 2026

Important Notice: We would like to inform you that, following the recent updates to the Chrome Root Program Policy and the extension of the deprecation timeline for the TLS Client Authentication EKU in TLS Server certificates, HARICA will postpone the previously announced actions by approximately nine (9) months.

The updated timeline will be communicated at a later date.

Dear HARICA Subscribers,

We are announcing an upcoming update to our Publicly-Trusted SSL/TLS Web Server Certificates.

Effective March 2, 2026, HARICA will no longer include the TLS Client Authentication (Client Auth) Extended Key Usage (EKU) value by default in newly issued TLS Server certificates that chain to the Chrome Root Store.

Why are we making this change?

This update is required by the Google Chrome Root Program Policy. It strengthens security by ensuring that server authentication certificates are restricted strictly to server authentication.

How does this affect you?

For Standard Web Servers (HTTPS): There is no impact. Certificates used solely to secure a website and issued prior to the effective date will remain valid and functional until their expiration date.

For Mutual TLS (mTLS) Configurations: If you currently use the same certificate to identify your server to clients and to authenticate your server as a client to other back-end systems, you must take action.

Action Required: If your system requires Client Authentication:

You must issue a dedicated Client Certificate (S/MIME or dedicated Client Auth) for that specific purpose. HARICA offers such certificates.
If your solution does not support two distinct client and server authentication certificates, you need to document your use case in detail and explain why the two-certificate approach is not feasible. HARICA may grant an extension to this effective date on a case-by-case basis allowing more time for you to implement the necessary changes using two certificates. This extension cannot exceed May 15, 2026.
Based on industry best practices, use cases relying on mTLS should use a Private PKI instead of Publicly-Trusted Certificates. You may contact sales@harica.gr for more information about these solutions.

Do you have any additional questions or concerns?

If you have questions or need more information, please contact the HARICA support at support@harica.gr.

TAGS:

Client Auth, TLS