Change in Let's Encrypt Certificates: Beginning in 2026, Let's Encrypt will no longer include the "TLS Client Authentication" Extended Key Usage (EKU) in its certificates.

• Most Users Unaffected: Most users using Let's Encrypt to secure websites won't be impacted and don't need to take action.
• Affects Client Certificate Users: Those using Let's Encrypt certificates as client certificates to authenticate to a server will be affected.

Rollout in Multiple Stages:

• Today: Excludes Client Authentication EKU on the tlsserver ACME profile. Can verify compatibility by issuing certificates with this profile now.
• October 1, 2025: Launches a new tlsclient ACME profile retaining the TLS Client Authentication EKU; users needing more time to migrate can opt-in.
• February 11, 2026: The default classic ACME profile will no longer have the Client Authentication EKU.
• May 13, 2026: The tlsclient ACME profile will be unavailable and no more certificates with the Client Authentication EKU will be issued.

Background on Certificates: All certificates have a list of intended uses (EKUs), and Let's Encrypt certificates have included TLS Server Authentication and TLS Client Authentication.

• TLS Server Authentication: Used to authenticate connections to TLS servers like websites.
• TLS Client Authentication: Used by clients to authenticate to a server; not typically used on the web and not required for website certificates.