The Sunset of Public TLS Client Certificates: What June 15, 2026 Means for Web Security
Discover the upcoming deprecation of public TLS/SSL client certificates with client authentication EKU. Learn how Google Chrome and other browsers will stop trusting these certificates starting June 15, 2026, and explore alternative authentication methods for enhanced web security.
In the ever-evolving world of web security, change is constant. One significant shift is underway that will affect how we think about client authentication on the web. Starting June 15, 2026, major platforms like Google Chrome will stop trusting publicly trusted SSL/TLS certificates that include the client authentication extended key usage (EKU). This marks the beginning of the end for public client certificates as we know them.
But what does this really mean for website owners, developers, and users? Let’s dive into the details of this important security evolution.
What Are Client Certificates?
Client certificates, also known as client-side certificates, are digital certificates used to authenticate the client (usually a user or device) to a server during a TLS handshake. Unlike server certificates that prove a website’s identity, client certificates prove the user’s identity to the website.
These certificates contain:
- The client’s public key
- Identity information (like name, email, or organization)
- The client authentication EKU, which indicates the certificate can be used for client authentication
The Phase-Out Decision
The decision to phase out public client certificates stems from several security and usability concerns:
- Security Risks: Publicly trusted client certificates can be issued by any Certificate Authority (CA) in the Web PKI ecosystem, potentially allowing unauthorized parties to obtain certificates for impersonation
- Limited Adoption: Despite being available for years, client certificates have seen minimal real-world usage due to complexity and poor user experience
- Modern Alternatives: More user-friendly authentication methods like WebAuthn, OAuth, and SAML have become prevalent
What This Means Starting June 15, 2026
When Chrome and other major browsers implement this change:
- Public Client Certificates Become Untrusted: Browsers will reject client certificates issued by public CAs that include the client authentication EKU
- Private/Internal Certificates Still Work: Certificates issued by private CAs (like corporate internal CAs) will continue to function
- No Impact on Server Certificates: This only affects client authentication, not server-side TLS certificates
Implications for Organizations
For Enterprises
- Internal Systems Unaffected: Private client certificates for VPN access, internal applications, and corporate networks will continue working
- Migration Planning: Organizations using public client certificates should plan to migrate to alternative authentication methods
For Certificate Authorities
- Business Model Impact: Public CAs may see reduced demand for client certificates
- Focus Shift: Emphasis on server certificates and other PKI services
For Developers
- API Changes: Web applications relying on client certificates may need updates
- Alternative Authentication: Consider implementing modern auth methods like:
- WebAuthn for passwordless authentication
- OAuth 2.0 / OpenID Connect
- SAML for enterprise SSO
Preparing for the Change
To ensure a smooth transition:
- Audit Current Usage: Identify any systems currently using public client certificates
- Plan Migration: Develop a timeline for switching to alternative authentication methods
- Test Compatibility: Verify that critical applications work without client certificates
- Update Documentation: Inform users about upcoming changes
The Future of Client Authentication
While public client certificates are being phased out, client authentication isn’t going away. Instead, it’s evolving:
- Hardware Security: Solutions like YubiKey and other hardware tokens
- Biometric Authentication: Fingerprint and facial recognition
- Decentralized Identity: Self-sovereign identity solutions
Stay Ahead with SSL Monitoring
As SSL/TLS standards evolve, staying informed about certificate changes is crucial. Tools like SSLcalendar.com can help you track certificate expirations and stay prepared for upcoming changes in the PKI landscape.
For comprehensive TLS health monitoring beyond basic expiration tracking, consider SSLboard.com, which provides in-depth analysis of your SSL/TLS infrastructure.
Conclusion
The phase-out of public client certificates represents another step forward in web security evolution. While it may require some adjustment for organizations currently using this technology, the move toward more secure and user-friendly authentication methods ultimately benefits everyone. As we approach June 15, 2026, now is the time to assess your authentication strategies and prepare for a more modern, secure web.
Sources: Chrome Platform Status - Client Certificate Authentication, CA/Browser Forum discussions on client certificate usage.
This article is for informational purposes. Always consult official documentation and security experts for your specific implementation needs.