Changes to clientAuth support in Google Trust Services Certificates
Google Trust Services will be dropping clientAuth support in public TLS certificates following a phased rollout plan. This change is being made in response to Browser Root Program requirement changes that impact all public Certificate Authorities.
Phased Rollout Plan:
Phase 1: Starting the week of Nov 10, 2025, CSRs asserting the
id-kp-clientAuthEKU will be rejected, with the exception that:- the
id-kp-serverAuthandid-kp-clientAuthEKUs must be set in the CSR, and - the clientAuth query parameter must be set in the directory URL. See the FAQ for more details.
- the
Phase 2: Starting the week of Apr 13, 2026, CSRs asserting the
id-kp-clientAuthEKU will be rejected, with no exceptions.
This will require changes to how mTLS and other clientAuth use cases handle certificate provisioning and trust store updates. clientAuth use cases should move to private PKIs. There are many good options for private PKIs, such as Google Cloud's Certificate Authority Service.