SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard eIDAS certificates SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates SSL ECC VMC certificates
E-signature Strong authentication (mTLS) S/MIME certificates
Test certificates CLM Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
TBS API TBSCertBot
SHA256: Browsers' compatibility ECC: Browsers' compatibility
FAQ
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


20250516 - Deprecation of the Client Authentication EKU (Extended Key Usage) for SSL Certificates

Starting June 15, 2026, Google Chrome will no longer recognize server SSL certificates that include a "Client Authentication" EKU. Only the "Server Authentication" EKU will be accepted.

What is an EKU?

An EKU, or Extended Key Usage, is an extension that specifies the uses that can be made of a certificate.

A certificate can combine several uses, such as authentication, signing, or encryption. The value of its EKU will then determine which applications or purposes the certificate can be used for.

Why this change?

Google, through its Chrome root policy, has introduced new security requirements prohibiting the inclusion of the client authentication EKU in public SSL/TLS certificates. These changes aim to better regulate certificate use and improve the security of the ecosystem.

What's Changing

Until now, most server certificates were issued with an EKU of "TLS Web Server Authentication" and "TLS Web Client Authentication." They will then be issued with only "TLS Web Server Authentication."

Timeline

  • April 8, 2025: Sectigo will stop including the "Client Authentication" EKU in QWAC SSL/TLS certificates.

  • September 15, 2025: Sectigo will stop including the "Client Authentication" EKU by default in SSL/TLS certificates. It will still be possible to obtain a certificate including this field under certain conditions.

  • October 1 , 2025: DigiCert will stop including the "Client Authentication" EKU in SSL/TLS certificates.

  • May 15, 2026: Sectigo will no longer include the "Client Authentication" EKU in new SSL/TLS certificates.

  • June 15, 2026: Chrome will stop accepting server certificates issued after June 15, 2026, that include the "Client Authentication" EKU.

NOTE: Sectigo certificates issued via TBS will no longer have the "Client Authentication" EKU field in early May 2026.

What are the consequences?

If your tools require this extension, you will need to switch to another product.

QWAC Certificates

Since April 8, 2025, Sectigo QWAC SSL certificates have been issued with only a "Server Authentication" EKU.

It is now possible to use this type of certificate to connect to Chorus Pro via the AS2 EDI protocol.

What impact will this have on existing certificates?

None. These certificates will continue to function normally until their expiration date.

However, if a reissue is performed after the deadline, the new certificate will be issued with only the "TLS Web Server Authentication" EKU.

Useful Links