Critical Deadline: June 15, 2026

Chrome will reject all public TLS certificates with ClientAuth EKU after this date.

days

hrs

min

sec

HardComplianceChecklist

ClientAuth EKU Migration Checklist

Complete migration checklist for organizations affected by the Chrome ClientAuth EKU removal. Covers discovery, planning, implementation, and production cutover phases.

2-4 weeks

Last Updated: January 2026

Progress: 0/53 complete0%

When to Use

• Using public CA certificates for mTLS
• Server-to-server authentication with public certs
• API gateways authenticating with public TLS certs
• Partner B2B integrations using public certificates

Do NOT Use For

• Standard HTTPS websites (ServerAuth only)
• Already using Let's Encrypt (no ClientAuth)
• Already using private/internal PKI

Quick Reference (TL;DR)

Inventory all certificates using ClientAuth EKU from public CAs
Select migration path: Private PKI, PKIaaS, X9 PKI, or separate certs
Deploy new infrastructure and issue replacement certificates
Test thoroughly, then execute production cutover before June 2026

1Prerequisites

Objective: Confirm scope and readiness before starting the migration

Confirmed organization uses public CA certificates for client authentication (mTLS)

Identified all Certificate Authorities currently issuing certificates with ClientAuth EKU

Obtained CA-specific timeline documents (DigiCert, Sectigo, or other CA announcements)

Assigned migration project owner and stakeholders

Secured executive sponsorship and budget allocation for potential infrastructure changes

💡 If you only use public certificates for HTTPS (ServerAuth), you are NOT affected by this change

💡 Let's Encrypt certificates already exclude ClientAuth EKU and require no action

2Phase 1: Discovery

Objective: Build a complete inventory of affected certificates and dependencies

Inventory all certificates with ClientAuth EKU (OID 1.3.6.1.5.5.7.3.2)

openssl x509 -in cert.pem -noout -text | grep -A 1 "Extended Key Usage"

Document each certificate: issuing CA, expiration date, deployment location(s)

Map use cases for each ClientAuth certificate (mTLS, API gateway, service mesh, partner integration)

Identify systems that validate ClientAuth EKU (load balancers, API gateways, application servers)

Document trust store dependencies and certificate chain requirements

Check expiration dates against CA removal timelines (May 2026 for DigiCert/Sectigo)

Identify partner/vendor integrations that may require coordination

💡 Use Certificate Transparency logs (crt.sh) to discover certificates you may have missed

💡 Consider CLM tools (Venafi, Keyfactor, DigiCert) for automated discovery

4Phase 3: Implementation

Objective: Deploy new infrastructure and issue replacement certificates

Deployed new CA infrastructure (if Private PKI or self-managed)

Configured issuing CA with appropriate certificate profiles including ClientAuth EKU

Created and documented certificate request/issuance process

Distributed new root/intermediate CA certificates to all trust stores

Updated trust store configuration on all validating systems (load balancers, API gateways)

Issued replacement ClientAuth certificates from new CA

Verified new certificates contain correct EKUs

openssl x509 -in new-cert.pem -noout -text | grep -A 3 "Extended Key Usage"

Deployed new certificates to test/staging environment

Executed end-to-end mTLS testing in test environment

Documented any issues encountered and resolutions applied

💡 Always test trust store distribution before certificate deployment

💡 Maintain old certificates as fallback until cutover is validated

6Final Verification

Objective: Confirm migration success and close out the project

All systems using new ClientAuth certificates from private/alternative CA

No remaining dependencies on public CA ClientAuth certificates

Certificate monitoring updated for new certificates

Expiration alerts configured for new certificate lifecycle

Automation in place for certificate renewal (ACME, EST, or CLM integration)

Runbook updated with new certificate management procedures

Project retrospective completed and lessons learned documented

Stakeholders notified of successful migration completion

Related Resources

📖 ClientAuth EKU Sunset Guide 📖 Compliance Hub 🎬 mTLS Demo ✅ PKI Compliance Checklist ✅ CA Migration Runbook 📖 Crypto Agility Guide

← Back to Checklists Library