Let's Encrypt TLS Client Auth EKU Removal: tlsclient Opt-In/Cutover by May 13... — when and how should I migrate?
Determine how to handle mTLS and client-certificate issuance after Let's Encrypt removed TLS Client Authentication EKU from the default profile, stopped new tlsclient adoption on May 13, 2026, and allows only pre-existing tlsclient users to continue until July 8, 2026.
Blockers
- Removed the TLS Client Authentication EKU from the default classic profile.
- capability/tlsclient-profile — EOL 2026-05-13
- capability/tlsclient-profile — EOL 2026-07-08
- Managed private CA can increase cloud lock-in.
- A managed or self-hosted private PKI is the replacement for public client-certificate issuance for mTLS after the sunset.
- Self-hosted private PKI with step-ca is presented as a replacement path for internal mTLS after the public clientAuth sunset.
- Vault PKI is presented as a replacement path for internal mTLS after the public clientAuth sunset.
Who this is for
- compliance
- enterprise
- small-team
Candidates
Use Let's Encrypt tlsclient only as a short migration bridge
As of 2026-04-04, Let's Encrypt removed the TLS Client Authentication EKU from its default classic profile on February 11, 2026. The special tlsclient profile still includes clientAuth and is otherwise identical to classic, but it is only a transition path: you must already be using tlsclient by May 13, 2026, and those existing users can continue only until July 8, 2026. This is a stop-gap, not a durable mTLS strategy.
When to choose
Use this only if you already issue via Let's Encrypt and need a few extra weeks to prevent immediate breakage while you cut over clients and trust stores. The decisive factor is whether you can finish migration before July 8, 2026; if not, skip this and move directly to a private PKI.
Tradeoffs
Lowest short-term effort and no certificate cost, but it preserves technical debt and leaves a hard stop in 2026.
Cautions
Do not treat this as a long-term issuance path. Let's Encrypt says the change is driven by root program requirements, and its profile docs state tlsclient exists only to ease transition.
Move mTLS to a managed private CA
A managed private CA is the clean replacement when you still need X.509 client certificates for workloads, devices, or service-to-service mTLS. Google Trust Services says public CAs are dropping clientAuth support and that these use cases should move to private PKIs. As of 2026-04-04, AWS Private CA lists concrete pricing: general-purpose CAs cost $400 per CA-month plus issuance tiers, while short-lived mode costs $50 per CA-month plus $0.058 per certificate. The differentiator is lower operational burden and easier integration with cloud identity, policy, and revocation plumbing.
When to choose
Use this when you need durable mTLS beyond May 2026 and want low-ops lifecycle management, especially in regulated or multi-team environments. The decisive factor is willingness to pay recurring CA fees to avoid building and operating PKI yourself.
Tradeoffs
Operationally simpler and policy-friendly, but materially more expensive than Let's Encrypt and can increase cloud lock-in.
Cautions
Model issuer count and certificate volume before choosing a managed service, because monthly CA fees dominate small deployments. Also plan client trust distribution, because private CA roots are not in public trust stores by default.
Run your own private CA with step-ca or Vault PKI
Self-hosted private PKI is the lowest-vendor-lock-in path for internal mTLS after the public clientAuth sunset. Smallstep documents step-ca as an online CA for automated X.509 and SSH certificate management with TLS and mutual TLS support. HashiCorp Vault PKI documentation, current at v1.21.x, states the PKI secrets engine generates dynamic X.509 certificates and is designed for short TTL and ephemeral certificate workflows. The differentiator is maximum control over issuance policy, certificate lifetime, and trust distribution.
When to choose
Use this when you need private PKI permanently, want to avoid managed-CA recurring fees, or need custom issuance policy across mixed environments. The decisive factor is whether your team can own CA hierarchy design, secure root handling, rotation, and trust-store rollout.
Tradeoffs
Lowest platform lock-in and highly flexible, but you inherit PKI operations, incident response, and integration work.
Cautions
This is not a drop-in replacement for public ACME on the open Web; you must distribute and rotate your own trust anchors. Vault's PKI guidance recommends a CA hierarchy and highlights scale tradeoffs, so design for issuance volume and revocation strategy early.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Let's Encrypt TLS Client Auth EKU Removal: tlsclient Opt-In/Cutover by May 13... — when and how should I migrate?"