Upcoming Changes to TLS Certificate Requirements
Date of Product Advisory Announcement: September 2025
Starting October 1, 2025, public certificate authorities (CAs), including DigiCert, will stop issuing public TLS certificates that include the Client Authentication (Client Auth) Extended Key Usage (EKU) by default. Customers must explicitly request this extension when generating certificates intended for use with Illumio software. On or around May 1, 2026, DigiCert and other public certificate authorities (CAs) will fully prevent the option to choose the Client Authentication EKU during enrollment for public TLS certificates.
Following this change, starting on June 15, 2026, Google Chrome and other browsers will stop trusting any newly issued server certificates that include the Client Auth EKU. This industry-wide change can affect how TLS certificates are used in secure environments that depend on the Client Auth EKU.
Audience
This change applies to on-premises customers only.
Impact to On-Premises Policy Compute Engine (PCE)
Illumio PCE currently requires TLS certificates with the Client Auth EKU for some internal services. Using certificates without this EKU may prevent key services from starting or operating correctly. Until a product update is available to address this change, customers are advised to continue issuing certificates with the Client Auth EKU to avoid operational disruptions.
Impact to Network Enforcement Node (NEN)
The Network Enforcement Node (NEN) also relies on TLS certificates with the Client Auth EKU for some internal services. Certificates issued without this EKU may result in operational disruptions. Customers should make sure that certificates used with NEN deployments include the Client Auth EKU until a product update is available.
Recommended Action
Continue to generate TLS certificates that include the Client Auth EKU to ensure uninterrupted functionality of Illumio PCE services.
If you’re using a public certificate authority such as DigiCert, you must explicitly request the inclusion of the Client Auth EKU when you generate certificates.
Planned Illumio Response
Product updates will be made available for the PCE and NEN that will support this industry-wide transition.
Frequently Asked Questions (FAQs)
Review these FAQs if you need more information.
What is changing on October 1, 2025?
DigiCert and other major certificate authorities will stop issuing TLS certificates with the Client Auth EKU by default. Customers who require this extension for mutual TLS must request it explicitly.
What is changing on May 1, 2026?
Google Chrome will stop trusting server certificates that include the Client Auth EKU if they are issued after this date. As a result, users may encounter browser warnings or errors when accessing the PCE web UI using such certificates.
Why does Illumio PCE require the Client Auth EKU today?
The Client Auth EKU is required for inter-node communication between PCE nodes.
Why does NEN require the Client Auth EKU today?
TLS certificates with the Client Auth EKU are used to secure some internal services within the NEN.
Can we use separate certificates for internal and external services?
Currently, Illumio supports a single certificate model. Using separate certificates for internal and browser-facing services is not supported.
What if we use public certificates from providers like DigiCert?
You can continue using public CAs for now, but after October 1, 2025, you must explicitly request the Client Auth EKU.
What happens if we don't make any changes?
If certificates without the Client Auth EKU are used, some services in PCE or NEN may fail to start or operate correctly. In addition, Chrome may block access to web interfaces using certificates that include the EKU after June 15, 2026.
Will this impact SaaS deployments?
This advisory specifically applies to on-premises PCE and NEN deployments.
What changes are coming from Illumio?
Illumio plans to make product updates available that align with the industry-wide transition.