Do You Even Know If You Use Client Authentication Certificates?
Public CAs are pulling clientAuth from public TLS certificates. Most teams don't know they rely on it — until a renewal breaks a partner integration.

The short version
If any of your systems use mutual TLS — API gateways, B2B partner integrations, service meshes, VPNs, database client connections — you almost certainly rely on client authentication certificates, and plenty of teams don't know which ones or where they are. The reason it matters now: public CAs are pulling the clientAuth EKU. loading dates… Nothing breaks on those dates. It breaks at your next renewal after them — the new cert is valid for HTTPS, passes every expiry monitor, and then a partner's gateway rejects it on the EKU check. This guide shows you how to find every clientAuth certificate you have — one cert at a time, per live endpoint, and across the whole estate — so you can act before a renewal takes an integration down.
What a "client authentication certificate" actually is
There is no separate certificate type called a client certificate. It's an ordinary X.509 certificate whose Extended Key Usage (EKU) extension asserts the client-authentication purpose. Two OIDs matter:
Server authentication —
1.3.6.1.5.5.7.3.1(id-kp-serverAuth) — "this cert can identify a server," i.e. normal HTTPS.Client authentication —
1.3.6.1.5.5.7.3.2(id-kp-clientAuth) — "this cert can identify a client," i.e. the machine or service presenting a certificate in an mTLS handshake.
The certificates at the center of the 2027 changes are dual-EKU certs — public TLS certificates that carry both purposes. For years, most public CAs added clientAuth by default, so a cert someone requested to serve a website has quietly been usable as a client identity too. That is exactly what the CA/Browser Forum and the Chrome Root Program are ending: public TLS certificates are being restricted to serverAuth only.
Why you probably don't know you use them
This was the point raised on the Root Causes podcast, and it's the failure pattern worth internalizing: teams confidently say "clientAuth deprecation won't affect us" — right up until something breaks. Three reasons the exposure stays invisible:
1Nobody asked for clientAuth
The cert was requested for a website. The clientAuth EKU came along for free because the CA included it by default. No ticket, no inventory field, no owner knows it's load-bearing.
2It validates fine as a server cert
Every expiry dashboard and SSL checker shows the cert as healthy, because it is a valid server certificate. The clientAuth purpose is only exercised on the far side of an mTLS handshake you may not control.
3The break is deferred and silent
When the clientAuth EKU disappears at renewal, the new cert still serves HTTPS perfectly. The mTLS peer rejects it, the failure looks like the partner's problem, and nobody connects it to a CA policy change until someone diffs the old and new certificates.
The deadlines that make this urgent
These update automatically from the FixMyCert Compliance Hub.
The critical mental model: existing certificates keep working until they expire. The exposure is every dual-EKU cert whose first renewal falls after its CA's removal date. That's what you're hunting for.
Step 1 — Inspect a single certificate
Start by learning to read the EKU on one cert. Given a PEM file, run:
openssl x509 -in cert.pem -noout -ext extendedKeyUsage
Example output:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication"TLS Web Client Authentication" in the output means the clientAuth EKU is present. On OpenSSL older than 1.1.1 (no -ext flag), fall back to:
openssl x509 -in cert.pem -noout -text | grep -A1 "Extended Key Usage"
A cert that shows only TLS Web Server Authentication is already serverAuth-only and safe. A cert showing both is a dual-EKU cert — flag it and find out whether the clientAuth purpose is actually used.
Step 2 — Check a live endpoint
You won't always have the file. Pull the leaf straight off a running service and inspect it in one pipe:
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com </dev/null 2>/dev/null \ | openssl x509 -noout -ext extendedKeyUsage
Point this at the endpoints that terminate mTLS — API gateways, partner-facing load balancers, mesh ingress — not just your public website. Remember that in mTLS the certificate that needs clientAuth is the one the client presents, so also check the certs your outbound services use when they connect to someone else.
Step 3 — Sweep a host's certificate files
On any Linux host, find PEMs that carry clientAuth without opening each one by hand:
for f in $(grep -rlE "BEGIN CERTIFICATE" /etc/ssl /etc/pki /opt 2>/dev/null); do
if openssl x509 -in "$f" -noout -ext extendedKeyUsage 2>/dev/null | grep -q "Client Authentication"; then
echo "clientAuth: $f"
fi
doneOn Windows or AD CS environments, query the machine store with PowerShell and match on the clientAuth OID (more robust than the friendly name):
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
$_.EnhancedKeyUsageList.ObjectId -contains '1.3.6.1.5.5.7.3.2'
} | Select-Object Subject, NotAfter, Thumbprint,
@{n='Issuer';e={$_.Issuer}},
@{n='EKU';e={($_.EnhancedKeyUsageList.FriendlyName) -join ', '}}Step 4 — Inventory across the estate
Per-host sweeps don't scale to an enterprise. Use whichever of these you already have wired up:
Your CA portal first
This is the fastest high-signal source. In DigiCert CertCentral or Sectigo Certificate Manager, filter issued certificates by product or profile and EKU. The certs you care about are public TLS certs issued before your CA's default-removal date (October 2025) that are still in service — those are the ones carrying clientAuth that will lose it at renewal.
Certificate Transparency logs
Every publicly trusted cert for your domains is logged. Enumerate them with a CT search — for example the crt.sh query for %.example.com — to get the full list of live certs and which CA issued each. CT won't show the EKU in the list view, so treat it as a discovery net: pull the leaf for anything issued by a CA that historically defaulted to clientAuth and inspect it with Step 1.
Network discovery
If there's no central inventory, scan for TLS ports and pull certs. An nmap scan of ports 443, 8443, and 9443 with the ssl-cert script gives you subject, issuer, and validity per host; nmap's ssl-cert script doesn't reliably print the EKU, so feed each discovered endpoint back through the Step 2 check. See the nmap certificate discovery guide for a full walkthrough.
A certificate management platform
If you run Venafi (now CyberArk), a CLM, or cert-manager, you already have the inventory — add or filter on the EKU attribute rather than launching fresh scans. Discovery jobs can tag every dual-EKU cert in one pass.
Step 5 — Look where clientAuth actually hides
Discovery tools find certs; they don't tell you which ones are load-bearing for client identity. These are the places dual-use certs quietly do double duty:
The classic case: a partner's gateway pins or requires your cert on the mTLS leg.
Istio/Envoy, Linkerd — usually private-CA issued already, but verify.
F5 client SSL profiles, HAProxy, NGINX doing mTLS to upstreams.
Client-certificate auth on the concentrator.
Postgres, MySQL, MongoDB, and SQL Server all support requiring a client certificate.
Kafka mTLS, gRPC channels.
For each hit, record the subject, issuer (which CA), expiry, and whether the clientAuth purpose is genuinely exercised.
Step 6 — Triage what you found
| What you found | Real exposure | Action |
|---|---|---|
| serverAuth-only cert | None | No action |
| Dual-EKU cert, clientAuth not used anywhere | Cosmetic | Let it renew serverAuth-only; confirm nothing silently depended on it |
| Dual-EKU public cert used as a client identity | High — breaks at first renewal after the CA's removal date | Split it: keep a public serverAuth cert for the site, move the client identity to a private CA before the last pre-deadline renewal |
| Cert from a CA past its default-removal date, renewing after that CA's removal deadline | High | Same — plan the migration now |
The fix itself — splitting dual-use certs and standing up private PKI for client identities — is its own project. Once you've built the inventory here, follow the deprecation and migration guides below.
Next steps
ClientAuth EKU Deprecation — Chrome Kills Public mTLS
What's changing and why
Client Authentication EKU Sunset
Migration options (private PKI, PKIaaS, X9 PKI, separate certs)
mTLS / Mutual TLS
mTLS fundamentals
Compliance Hub
Track the live deadlines
Find them now, while every affected cert is still valid and you're working from an inventory instead of an incident.