Skip to main content

Extended key usage (EKU) options

For a limited time, from August 12, 2025, to May 1, 2026, CertCentral includes two new extended key usage (EKU) options on the public TLS/SSL certificate request forms. These options are under Additional certificate options. You can also manage which option is selected by default on request forms via the Product Settings page in CertCentral. Refer to the update the default EKU option selection for your public TLS certificate instructions.

On May 1, 2026, DigiCert will remove these options from CertCentral and start issuing public TLS certificates with only the Server Authentication EKU. For more information about DigiCert's timeline to phase out the client authentication EKU in our public TLS certificates, read our knowledge base article about sunsetting the client authentication EKU.

New EKU options in CertCentral

Server Authentication and Client Authentication EKUs

  • Until October 1, 2025, DigiCert includes these two EKUs in your TLS/SSL certificate by default.

  • Starting October 1, 2025, you must select this option to include both EKUs in your TLS/SSL certificate.

Server Authentication EKU

  • Until October 1, 2025, you must select this option to include only the Server Authentication EKU in your TLS/SSL certificate.

  • Starting October 1, 2025, DigiCert will include only the Server Authentication EKU in your public TLS/SSL certificate by default.

Certificate profile options for CertCentral Services API Integrations

If requesting public TLS certificates through the CertCentral Services API, you can include both EKUs or only the Server Authentication EKU in your public TLS/SSL. Refer to the TLS certificate order endpoints and the Glossary's Certificate profile options table for more details.

Starting May 1, 2026, DigiCert no longer support these certificate profile options in public TLS certificate requests. We’ll issue these certificates with only the Server Authentication EKU.

What do the Server Authentication and Client Authentication EKUs do in a TLS/SSL certificate?

The Server Authentication EKU is used to authenticate connections to TLS servers to verify websites. For example, if using your browser to go to a website such as https://www.digicert.com.

The Client Authentication EKU is used to authenticate a client, such as users or devices, to a server. This EKU isn’t required if using the TLS certificate on websites like https://www.digicert.com.

이 섹션의 내용: