Starting May 2026, major public Certificate Authorities (CAs) including Let's Encrypt, DigiCert, Sectigo, and GlobalSign will stop including the Client Authentication Extended Key Usage (EKU) in publicly issued TLS certificates. This affects any deployment using mutual TLS (mTLS) with public-CA-issued client certificates — including Apache Kafka, Cassandra, ZooKeeper, Pulsar, Ignite, and Geode. Failures won't appear immediately but will surface silently during routine certificate renewals, potentially causing cascading authentication failures in distributed systems. Three migration paths are outlined: switching to an internal/enterprise CA for all certificates, using a hybrid model (public CA for servers, private CA for clients), or moving to server-only TLS with application-layer authentication. Deployers should immediately audit their environments, identify affected certificates using OpenSSL or keytool commands, and begin migration planning before the deadline.
Table of contents
What Apache Software Deployers Need to Know Before May 2026When Industry Standards Shift Beneath Your FeetThe Common Failure Mode Across Apache DeploymentsWhat Will Break and WhenHow to Know If You’re AffectedHow to check your certificatesThree Proven Paths ForwardWhat You Should Do NowA Moment for the EcosystemWhere to Get HelpSort: