Changes to clientAuth support in Google Trust Services Certificates

Google Trust Services will be dropping clientAuth support in public TLS certificates following the
phased rollout plan below. This change is being made in response to Browser Root Program requirement
changes that impact all public Certificate Authorities.

Phased Rollout Plan:
  Phase 1: Starting the week of Nov 10, 2025, CSRs asserting the `id-kp-clientAuth` EKU will be rejected,
    with the exception that:
      1). the `id-kp-serverAuth` and `id-kp-clientAuth` EKUs must be set in the CSR, and
      2). the clientAuth query parameter must be set in the directory URL.
    Please see the FAQ for more details.
  Phase 2: Starting the week of Apr 13, 2026, CSRs asserting the `id-kp-clientAuth` EKU will be rejected,
    with no exceptions.

This will require changes to how mTLS and other clientAuth use cases handle certificate
provisioning and trust store updates. clientAuth use cases should move to private PKIs. There are
many good options for private PKIs, such as Google Cloud's Certificate Authority Service.
      

• Privacy
• Terms
• About Google
• Google Products

• Help