Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles:
I’ve been using client certs for my self hosted stuff as a MFA (what you have) and it’s fairly straightforward to implement. It’s annoying to manage all the certs but once it’s set up, it sort of runs on its own.
TIL client certs exist.
I’ve been using client certs for my self hosted stuff as a MFA (what you have) and it’s fairly straightforward to implement. It’s annoying to manage all the certs but once it’s set up, it sort of runs on its own.