Removal of TLS Client Authentication EKU from public CA issued certs.

[hardillb]

Given Chrome appears to be requiring the removal of TLS Client Authentication EKU markers for Server Certificates (https://googlechrome.github.io/chromerootprogram/) most of the public CA providers are removing this flag (e.g. https://letsencrypt.org/2025/05/14/ending-tls-client-authentication)

Are there any plans to remove the flag from the standard Small Step CA templates?

While this is probably only currently linked to Chrome included the CA certs in their trust store, do we know if they will later go further and require this to be missing from server certificates as well?

I have also been playing with S/MIME certs recently and realised that certificates need this flag in the EKU to be able to renew them with

step ca certificate renew cert.prm cert.key

(This is using a JWT provisioner if it matters)

Is this the case for renewing all certificate types or do ACME issued certs still need client auth?

p.s. Also any plans to enable ACME EmailReply-00 Challenge (https://datatracker.ietf.org/doc/html/rfc8823) support?

[hslatman]

Given Chrome appears to be requiring the removal of TLS Client Authentication EKU markers for Server Certificates (https://googlechrome.github.io/chromerootprogram/) most of the public CA providers are removing this flag (e.g. https://letsencrypt.org/2025/05/14/ending-tls-client-authentication)

Are there any plans to remove the flag from the standard Small Step CA templates?

Not concretely, at this moment. It would need careful consideration and implementation, and opt-in at first, to not break current automation use cases.

While this is probably only currently linked to Chrome included the CA certs in their trust store, do we know if they will later go further and require this to be missing from server certificates as well?

We can only guess. Historically, browsers seem to have been more lenient when it comes to internal PKI, and my guess is that will remain like so for compatibility reasons.

I have also been playing with S/MIME certs recently and realised that certificates need this flag in the EKU to be able to renew them with

step ca certificate renew cert.prm cert.key

(This is using a JWT provisioner if it matters)

Is this the case for renewing all certificate types or do ACME issued certs still need client auth?

No, only when using the "proprietary" CA APIs that step-ca provides, which rely on mTLS (or tokens signed with the certificate private key), and thus are a use case that generally uses/requires the Client Authentication EKU.

p.s. Also any plans to enable ACME EmailReply-00 Challenge (https://datatracker.ietf.org/doc/html/rfc8823) support?

Not planned, but I do have a working POC implementation locally. The core isn't that hard or big; it's the integration with mailing servers / protocols that makes this a larger effort.

[hardillb]

p.s. Also any plans to enable ACME EmailReply-00 Challenge (https://datatracker.ietf.org/doc/html/rfc8823) support?

Not planned, but I do have a working POC implementation locally. The core isn't that hard or big; it's the integration with mailing servers / protocols that makes this a larger effort.

Ohh, cool. yeah I think it would be fair to off load as much of that as possible to SMTP/IMAP servers.

I know @jwildeboer would also be interested in this

[hslatman]

Feel free to give a 👍 to #730