New deadlines: Client Authentication expected to be removed from SwissSign TLS/SSL certificates from end of January 2027

The Extended Key Usage (EKU) clientAuth will no longer be permitted in newly issued, publicly trusted SwissSign TLS/SSL certificates from end of January 2027 (provisional).

Background: Google's Chrome Root Program Policy v1.8 restricts the use of clientAuth in publicly trusted TLS/SSL certificates in two stages: subordinate CA certificates are affected from 15 June 2026, leaf certificates from 15 March 2027.

What is changing, and when: SwissSign will therefore stop issuing publicly trusted TLS/SSL certificates that contain the clientAuth EKU. We are planning to implement these requirements by end of January 2027. We will announce the exact date in our RSS feed and on our blog. Certificates issued before that date remain valid until their respective expiry date.

What you need to do: Please check whether you are using the "clientAuth" EKU in your TLS/SSL certificates. If so, renew them before January 2027. Certificates in private PKI environments are not affected, and S/MIME certificates of type "Sponsor Validated" can often be used as an alternative.

Resources: You will find detailed information in our blog article: TLS/SSL Client Authentication: what is changing

Your SwissSign Team