Skip to main content

Extended key usage (EKU) options

For a limited time, from August 12, 2025, to May 1, 2026, CertCentral includes two new extended key usage (EKU) options on the public TLS/SSL certificate request forms. These options are under Additional certificate options.

You can control which option is selected by default on the request forms from their Product Settings pages in CertCentral. Learn more about updating the default EKU option selection for your public TLS certificates.

On May 1, 2026, DigiCert will remove these EKU options from the CertCentral request forms and product settings pages. We’ll issue public TLS certificates with just the Server Authentication EKU going forward.

For more information about DigiCert's timeline for phasing out the Client Authentication EKU, read our article about sunsetting the client authentication EKU.

New EKU options in CertCentral

In our public TLS certificate request forms, you should an Extended key usage (EKU) section with two EKU options.

  • Server Authentication EKU (default)

    DigiCert includes the Server Authentication EKU in your public TLS/SSL certificate by default.

  • Server Authentication and Client Authentication EKUs

    Beginning October 1, 2025, you must select this option to include both EKUs in your public TLS/SSL certificate.

Certificate profile options for CertCentral Services API (application programming interface) integrations

When requesting public a TLS certificate through the CertCentral Services API, you can include both EKUs or just the Server Authentication EKU in your certificate.

For more details about including these EKUs in your certificates, see the following topics:

Beginning May 1, 2026, DigiCert will no longer support these EKU options in public TLS certificate requests and issue these certificates with just the Server Authentication EKU.

What do the Server Authentication and Client Authentication EKUs do in a TLS/SSL certificate?

The Server Authentication EKU is used to authenticate connections to TLS servers to verify websites. For example, if using your browser to go to a website such as https://www.digicert.com.

The Client Authentication EKU is used to authenticate a client, such as users or devices, to a server. This EKU isn’t required if using the TLS certificate on websites like https://www.digicert.com.

: