What’s Happening?
Starting May 2026, all major public certificate authorities including Let’s Encrypt, DigiCert, and Sectigo will stop issuing certificates for TLS client authentication. This change stems from Google Chrome’s new root program requirements and is triggering a mandatory industry-wide transition.
Critical Dates
- October 2025: Most CAs will begin removing client authentication EKU by default
- May 2026: No public CA will issue client authentication certificates
- June 2026: Chrome will only accept root certificate hierarchies dedicated exclusively to TLS server authentication (client auth and server auth must come from separate roots)
Who’s Affected?
You’re Not Affected If:
You only use certificates to secure websites (HTTPS) – no action needed.
Pay Attention If You Have These Scenarios:
- VPN and remote access: Authenticating employee devices with certificates
- Enterprise Wi-Fi (802.1X): Using device-based network authentication
- Mutual TLS (mTLS): Securing APIs and microservices
- Kubernetes/Service Mesh: Using certificates for pod-to-pod authentication
- IoT/M2M: Device-to-device authentication
- Enterprise applications: Client certificate-based SSO
Any certificate obtained from public CAs and used for client authentication will be unrenewable after 2026.
The Solution: Transitioning to Private PKI
The only valid solution for client authentication is now for organizations to establish their own private PKI infrastructure. The good news? Modern tools make this transition far less complex than it used to be.
Benefits of Private PKI
- Full control: You define certificate profiles, lifecycles, and policies
- Flexibility: Create certificates tailored to your internal use cases
- Independence: Unaffected by external policy changes
- Cost: More economical at scale
- Speed: Faster revocation, renewal, and deployment
Requirements for Successful Transition
1. Certificate Inventory
The first step is understanding your current state. Identifying which certificates are used for client authentication, which systems will be affected, and prioritization is critical.
2. Private CA Infrastructure
Modern solutions enable you to establish root CA and intermediate CA hierarchies, create custom certificate profiles for different use cases, and integrate with standard protocols like ACME, EST, and SCEP.
3. Certificate Lifecycle Management (CLM)
Given the increasing number of certificates and more frequent renewal requirements, manual management is no longer sustainable. Capabilities needed for successful transition:
- Automated discovery: Finding all certificates across your organization
- Centralized management: Monitoring both public and private certificates from a single location
- Automated signing: Integrated certificate generation with private CA
- Smart deployment: Automatically deploying signed certificates to target systems
- Lifecycle automation: Renewal, revocation, and rotation processes
- Compliance control: Preventing policy violations
Transition Strategy
Phase 1: Assessment (Immediate)
- Extract current certificate inventory
- Identify certificates using client authentication
- List affected systems and criticality levels
- Plan resources needed for transition
Phase 2: Pilot (Q4 2025)
- Test private PKI on a non-critical system
- Set up automation processes with CLM platform
- Validate renewal and deployment scenarios
Phase 3: Production Migration (Q1-Q2 2026)
- Migrate VPN systems and user certificates
- Update mTLS APIs and microservices
- Configure IoT and embedded devices
- Systematically revoke old public CA certificates
Critical: All systems must be migrated to private PKI before May 2026.
Technology Selection: What to Look For
Must-Have Features
Your chosen platform must offer:
- Comprehensive discovery and inventory management
- Private CA integration and certificate signing capabilities
- Automatic deployment to target systems (Kubernetes, load balancers, web servers, etc.)
- ACME/EST/SCEP protocol support
- RESTful API and webhook integration
- Detailed audit logs and reporting
Integration Ecosystem
The platform should be compatible with your existing infrastructure:
- CAs like Microsoft ADCS, OpenSSL, EJBCA
- Container platforms like Kubernetes, Docker, OpenShift
- Web servers like Nginx, Apache, IIS
- Load balancers like F5, HAProxy, Citrix
Practical Recommendations
Security
- Keep root CA offline, use intermediate CAs
- Protect private keys with HSM
- Use minimum RSA 2048 or ECC P-256
- Conduct regular audits and compliance checks
Automation
- Avoid manual processes entirely
- Short-lived certificates + automatic renewal
- Configure pre/post deployment scripts
- Health check and validation automation
Organization
- Implement centralized management
- Define role-based access control
- Prepare team training and documentation
- Create disaster recovery plan
Tool Selection Comparison Criteria
| Criterion | Why Important | What to Check |
| Discovery capacity | Finding hidden certificates | Multi-platform scan, agent/agentless, scheduling |
| Signing flexibility | Custom use cases | Custom profiles, EKU control, CA agnostic |
| Deployment automation | Operational load | Number of platform supports, API/webhook, rollback |
| Protocol support | Device/system compatibility | ACME, EST, SCEP, RESTful API |
| Scalability | Growth and load | Certificate number limits, performance, high availability |
Conclusion
Public CAs ending client authentication support in 2026 isn’t just a policy change – it’s a structural transformation forcing organizations toward a more controlled and secure PKI model.
Final warning: After May 2026, obtaining client authentication certificates from public CAs will become impossible. Create your transition plan today to avoid surprises.
Modern CLM platforms can turn this transition into both an easy and value-creating opportunity. With the right tool selection and proper planning, this mandatory transition will become a long-term gain for your organization.
SecTrail CM offers a comprehensive platform for certificate lifecycle management. We provide support across all processes from certificate inventory extraction and automation to certificate deployment to target systems. Contact us for more information.