[Sunet-tcs-members] Re: Kommande borttagning av clientAuth från extended key usage i servercertifikat

Kent Engström <kent.engstrom(a)liu.se> writes: Nu har HARICA också skickat information om detta, inklusive konkret datum för ändringen. Se inklippt meddelande: Dear TCS members, We are announcing an upcoming update to our Publicly-Trusted SSL/TLS Web Server Certificates. Effective March 2, 2026, HARICA will no longer include the TLS Client Authentication (Client Auth) Extended Key Usage (EKU) value by default in newly issued TLS Server certificates that chain to the Chrome Root Store. Why are we making this change? This update is required by the Google Chrome Root Program Policy. It strengthens security by ensuring that server authentication certificates are restricted strictly to server authentication. How does this affect you? For Standard Web Servers (HTTPS): There is no impact. Certificates used solely to secure a website and issued prior to the effective date will remain valid and functional until their expiration date. For Mutual TLS (mTLS) Configurations: If you currently use the same certificate to identify your server to clients and to authenticate your server as a client to other back-end systems, you must take action. Action Required: If your system requires Client Authentication: - You must issue a dedicated Client Certificate (S/MIME or dedicated Client Auth) for that specific purpose. HARICA offers such certificates. - If your solution does not support two distinct client and server authentication certificates, you need to document your use case in detail and explain why the two-certificate approach is not feasible. HARICA may grant an extension to this effective date on a case-by-case basis allowing more time for you to implement the necessary changes using two certificates. This extension cannot exceed May 15, 2026. - Based on industry best practices, use cases relying on mTLS should use a Private PKI instead of Publicly-Trusted Certificates. You may contact [1]sales(a)harica.gr for more information about these solutions. Do you have any additional questions or concerns? If you have questions or need more information, please contact the HARICA support at [2]support(a)harica.gr. We remain at your disposal for any further information. -- Kent Engström, Sunet TCS kent.engstrom(a)liu.se, +46 13 28 4444