The Apache Software Foundation Blog

Starting May 2026, major public Certificate Authorities (CAs) including Let's Encrypt, DigiCert, Sectigo, and GlobalSign will stop including the Client Authentication Extended Key Usage (EKU) in publicly issued TLS certificates. This affects any deployment using mutual TLS (mTLS) with public-CA-issued client certificates — including Apache Kafka, Cassandra, ZooKeeper, Pulsar, Ignite, and Geode. Failures won't appear immediately but will surface silently during routine certificate renewals, potentially causing cascading authentication failures in distributed systems. Three migration paths are outlined: switching to an internal/enterprise CA for all certificates, using a hybrid model (public CA for servers, private CA for clients), or moving to server-only TLS with application-layer authentication. Deployers should immediately audit their environments, identify affected certificates using OpenSSL or keytool commands, and begin migration planning before the deadline.

The Public CA clientAuth EKU Sunset: What Apache Software Deployers Need to Know

What Apache Software Deployers Need to Know Before May 2026

When Industry Standards Shift Beneath Your Feet

The Common Failure Mode Across Apache Deployments