Ending TLS Client Authentication Certificate Support in 2026

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you. To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles: Today : Let’s Encrypt already excludes the Client Authentication EKU on our tlsserver ACME profile. You can verify compatibility by issuing certificates with this profile now. : Let’s Encrypt already excludes the Client Authentication EKU on our ACME profile. You can verify compatibility by issuing certificates with this profile now. October 1, 2025 : Let’s Encrypt will launch a new tlsclient ACME profile which will retain the TLS Client Authentication EKU. Users who need additional time to migrate can opt-in to this prof ... Read full article.