diff --git a/content/en/docs/profiles.md b/content/en/docs/profiles.md index 3a22fe77a..98ff260bb 100644 --- a/content/en/docs/profiles.md +++ b/content/en/docs/profiles.md @@ -1,7 +1,7 @@ --- title: Profiles slug: profiles -lastmod: 2026-02-11 +lastmod: 2026-03-16 show_lastmod: false --- @@ -93,7 +93,7 @@ Certificates issued with the tlsclient profile contain the TLS Client Auth EKU. It is otherwise identical to the classic profile. However, as [announced on our blog](/2025/05/14/ending-tls-client-authentication), -this profile will cease to exist on May 13, 2026. +this profile will soon cease to exist. Subscribers who are already using it prior to May 13, 2026 may continue to use it until July 8, 2026. This profile exists for the sole purpose of allowing Subscribers who need access to TLS Client Auth certificates to retain that EKU for slightly longer, to diff --git a/content/en/post/2025-05-14-ending-tls-client-authorization.md b/content/en/post/2025-05-14-ending-tls-client-authorization.md index 3d86a9785..7628cfbc4 100644 --- a/content/en/post/2025-05-14-ending-tls-client-authorization.md +++ b/content/en/post/2025-05-14-ending-tls-client-authorization.md @@ -8,6 +8,8 @@ display_support_us_footer: true display_inline_newsletter_embed: false --- +> Update March 16, 2026: Thanks to some timeline changes in the root program requirements, we have been able to push back the removal of the `tlsclient` profile slightly. If you are already using the `tlsclient` profile before May 13, 2026, now you will be able to continue to do so through July 8, 2026. + Let's Encrypt will no longer include the "TLS Client Authentication" Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let's Encrypt to secure websites won't be affected and won't need to take any action. However, if you use Let's Encrypt certificates as client certificates to authenticate to a server, this change may impact you. To minimize disruption, Let's Encrypt will roll this change out in multiple stages, using [ACME Profiles](https://letsencrypt.org/docs/profiles/): @@ -15,7 +17,7 @@ To minimize disruption, Let's Encrypt will roll this change out in multiple stag - **Today**: Let's Encrypt already excludes the Client Authentication EKU on our [`tlsserver`](https://letsencrypt.org/docs/profiles/#tlsserver) ACME profile. You can verify compatibility by issuing certificates with this profile now. - **October 1, 2025**: Let's Encrypt will launch a new `tlsclient` ACME profile which will retain the TLS Client Authentication EKU. Users who need additional time to migrate can opt-in to this profile. - **February 11, 2026**: the default [`classic`](https://letsencrypt.org/docs/profiles/#classic) ACME profile will no longer contain the Client Authentication EKU. -- **May 13, 2026**: the `tlsclient` ACME profile will no longer be available and no further certificates with the Client Authentication EKU will be issued. +- **July 8, 2026**: the `tlsclient` ACME profile will no longer be available and no further certificates with the Client Authentication EKU will be issued. Once this is completed, Let's Encrypt will switch to issuing with new intermediate Certificate Authorities which also do not contain the TLS Client Authentication EKU. @@ -26,4 +28,4 @@ For some background information, all certificates include a list of intended use After this change is complete, only TLS Server Authentication will be available from Let's Encrypt. -This change is prompted by changes to Google Chrome's root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let's Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline. \ No newline at end of file +This change is prompted by changes to Google Chrome's root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let's Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline. diff --git a/content/en/upcoming-features.md b/content/en/upcoming-features.md index ed8d4ae6f..8e858ab44 100644 --- a/content/en/upcoming-features.md +++ b/content/en/upcoming-features.md @@ -1,7 +1,7 @@ --- title: Upcoming Features slug: upcoming-features -lastmod: 2026-02-11 +lastmod: 2026-03-16 show_lastmod: 1 --- @@ -11,7 +11,7 @@ For announcements of upcoming changes, please [subscribe to the Technical Update ## Removal of TLS Client Authentication EKU -On February 11, 2026, we [removed the "TLS Client Authentication" Extended Key Usage (EKU)](https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/) from our default certificate profile. As a temporary stop-gap for clients that need more time to migrate, we have a [tlsclient](https://letsencrypt.org/docs/profiles/#tlsclient) profile available until May 13, 2026. +On February 11, 2026, we [removed the "TLS Client Authentication" Extended Key Usage (EKU)](https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/) from our default certificate profile. As a temporary stop-gap for clients that need more time to migrate, we have a [tlsclient](https://letsencrypt.org/docs/profiles/#tlsclient) profile available. Subscribers who are already using it prior to May 13, 2026 may continue to use it until July 8, 2026. ## Decreasing Certificate Lifetimes to 45 Days @@ -55,4 +55,3 @@ Clients may [request a "shortlived" certificate](https://letsencrypt.org/2025/02 ## IP Address Certificates Shortlived certificates (see above) can request that the certificate [contain IP Addresses](https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/) in its Subject Alternative Names. These addresses will be [validated in much the same way as DNS Names](https://www.rfc-editor.org/rfc/rfc8738.html) are today. -