The End of ClientAuth EKU…Oh Mercy…What to do?

If you’ve spent any time recently monitoring the cryptography and/or Public Key Infrastructure (PKI) spaces…beyond that ever-present “Post Quantum” thing, you may have read that starting in May of 20...

Published Dec 04, 2025

Version 1.0

Employee

Joined March 16, 2006

View Profile

TimRiker

Cirrocumulus

Feb 11, 2026

From what I can see, LTM, and device trust replication appears unaffected. Is this true? I did not see any replication errors for those.

I'm not sure what GTM is doing differently to trigger this, but if LTM still works without a client EKU, I'd suggest GTM should do whatever LTM does.

The other alternative is to have a separate root trust for client certificates and stop re-using the httpd management and REST server certificate in a client context.

In any case, I would hope for an automated way to update all certificates every 30 days before 2029.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

The End of ClientAuth EKU…Oh Mercy…What to do?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS