Skip to main content

Configure extended key usage (EKU) options

Important

On March 1, 2027, DigiCert will remove the EKU options from CertCentral request forms and product settings pages. After this date, DigiCert issues public TLS certificates with the Server Authentication EKU only.

For a limited time, from now until March 1, 2027, CertCentral includes two new extended key usage (EKU) options on the public TLS/SSL certificate request forms. These options are under Additional certificate options.

CertCentral administrators can control which EKU option is selected by default on the request forms from their Product Settings pages in CertCentral. See Update your public TLS certificate's default EKU option selection.

For more information about DigiCert's timeline for phasing out the Client Authentication EKU, see the knowledge base article: Sunsetting Client Authentication EKU from DigiCert public TLS certificates.

New EKU options in CertCentral

On public TLS certificate request forms, an Extended key usage (EKU) section appears with two options:

  • Server Authentication EKU (default): DigiCert includes the Server Authentication EKU in your public TLS/SSL certificate by default.

  • Server Authentication and Client Authentication EKUs: As of October 1, 2025, select this option to include both EKUs in your public TLS/SSL certificate.

Certificate profile options for CertCentral Services API integrations

When requesting a public TLS certificate through the CertCentral Services API, the certificate can include both EKUs or the Server Authentication EKU only. For more details about including these EKUs in your certificates:

Beginning March 1, 2027, DigiCert will no longer support these EKU options in public TLS certificate requests and will issue these certificates with the Server Authentication EKU only.

What do the Server Authentication and Client Authentication EKUs do in a TLS/SSL certificate?

The Server Authentication EKU authenticates connections to TLS servers to verify websites. For example, when using a browser to go to a website such as https://www.digicert.com.

The Client Authentication EKU authenticates a client, such as users or devices, to a server. This EKU is not required when using the TLS certificate on websites like https://www.digicert.com.

Update your public TLS certificate's default EKU option selection

Updating the default EKU setting is not required to include both EKUs in your public TLS certificate. However, it reduces the burden on requesters. The requester uses the default setting instead of needing to remember whether to include one or two EKUs in the certificate.

Notice

This process applies to any public TLS certificate in your CertCentral account. In step 3, select the public TLS certificate you want to update.

Prerequisite: You must be a CertCentral administrator to view and update the product settings in CertCentral.

Update your Basic OV certificate’s default EKU option selection

  1. In the CertCentral main menu, go to Settings > Product Settings.

  2. On the Product Settings page, do the following to configure the scope of your product settings before updating your Basic OV product settings:

    1. Account wide or division specific:

      • Account wide:

        If you did not enable product configuration per division, no action is needed. All product settings apply to the entire account.

        If you enabled product configuration per division, in the For menu, select the top-level division. Selecting the main or top-level division applies the product settings to all divisions in CertCentral.

      • Division specific:

        1. Select Enable Product Configuration Per Division.

        2. In the For menu, select the division that you want the product settings to apply.

    2. All user roles or a specific user role

      1. All user roles

        To apply the product settings to all user roles, deselect Configure products by role.

      2. Specific user role

        1. To apply the product settings to a specific user role, select Configure products by role.

        2. In the Role column, select the role that you want the product settings to apply.

  3. In the Product column, select Basic OV.

  4. In the Product Settings column, under Basic OV, in the Default Extended Key Usage menu, select the default EKU option for the request form:

    • Server Authentication

    • Server Authentication and Client Authentication

    Notice

    On March 1, 2027, DigiCert will remove these options from the product setting pages and issue public TLS certificates with just the Server Authentication EKU.

  5. When ready, go to the bottom of the page and select Save Settings.

The next time someone requests a certificate for this product, the designated EKU option is selected by default on the request form.

What's next

Add DigiCert site seals to display certificate trust indicators on your website

In questa sezione: