The End of ClientAuth EKU…Oh Mercy…What to do?

If you’ve spent any time recently monitoring the cryptography and/or Public Key Infrastructure (PKI) spaces…beyond that ever-present “Post Quantum” thing, you may have read that starting in May of 20...
Published Dec 04, 2025
Version 1.0
certficate
EKU
pki
security
ssl
tls
TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Jan 30, 2026

This change does indeed break all GTM/DNS replication with this error:

gtmd[25131]: 011ae114:3: iqmgmt_ssl_connect: SSL error: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate (336151571) from connection a.b.c.d

Most vendors are removing Client EKU. Here are two:

https://letsencrypt.org/2025/05/14/ending-tls-client-authentication

https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates

This breaks us. We use publicly signed certificates as we already need those for traffic endpoints. The same wildcard cert for httpd on all F5s means a small gtm and big3d trust list. We do not want to run an internal CA and manage deploying root certs to all desktop images and mobile devices. Our desktop images typically do NOT allow the local user to modify the list of trusted root certificates.

In urgent need of a fix for this.