Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.
To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles:
Yes, that’s the same thing. Removing it from one place, and just adding it to another. No big deal.
I honestly don’t think many people were even using this feature compared to SSL certs. Anyone using TLS everywhere already has their own cert manager workflow, othey’d be using another system to do it ala k8s, or they’d be doing it at the network fabric instead of per-service. I can’t think of many use-cases where regular users of LE would have a TLS-enabled public service they would need other random users to trust. I’m sure there’s some, but nowhere on the scale of their SSL users.
Yes, that’s the same thing. Removing it from one place, and just adding it to another. No big deal.
I honestly don’t think many people were even using this feature compared to SSL certs. Anyone using TLS everywhere already has their own cert manager workflow, othey’d be using another system to do it ala k8s, or they’d be doing it at the network fabric instead of per-service. I can’t think of many use-cases where regular users of LE would have a TLS-enabled public service they would need other random users to trust. I’m sure there’s some, but nowhere on the scale of their SSL users.
Adding it where?