Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles:
I’ve read a lot of outcry about this wrt self-hosted mail servers.
Some say this is fatal, some say it has no effect. Both sides seem to have valid technical arguments. It would be nice to understand the effects better.
I’ve read a lot of outcry about this wrt self-hosted mail servers.
Some say this is fatal, some say it has no effect. Both sides seem to have valid technical arguments. It would be nice to understand the effects better.