Third-party Certificate Authorities cease issuing certificates with 'ServerAuth' and 'ClientAuth' EKU Extensions

Discover how this industry-driven change might affect component configurations and network connections within your Splunk platform environment.

Beginning in September 2025, several third-party certificate authorities (CAs) stopped issuing public Transport Layer Security (TLS) server certificates containing both "Client Auth" and "Server Auth" Extended Key Usage (EKU) extensions. Beginning in May of 2026, several of these CAs will no longer issue any public certificates with the "Client Auth" EKU at all. These changes affect the issuance of new certificates as well as renewed, re-issued, or duplicate certificates. The changes are in line with industry standards to improve overall security by separating certificate usages and maintain compliance with directives from browser vendors such as the Google Chrome Root Program.

App Key Value Store (KV Store), which handles a majority of configuration persistence on the Splunk platform, requires either a certificate that has both EKUs, or two certificates that have one of each EKU. Depending on the configuration of your Splunk platform deployment and whether you use public TLS certificates to secure the deployment, these changes could affect you. Read on to determine whether or not you must take action to prevent downtime in your deployment, and learn:

What an EKU is and why it is critical to the security of your environment
How these changes could potentially affect your environment
What you need to do to ensure continued uptime
The consequences of inaction

The changes that this release note outlines do not affect the following:

Splunk Cloud Platform indexing and search head tiers. Splunk manages certificates for Splunk services in these tiers and ensures that those certificates have the correct EKUs
Universal forwarders that connect to Splunk Cloud Platform environments using the Universal Forwarder Credentials Package, with certain exceptions, as outlined later in this topic

What is an EKU and why is it so important?

An Extended Key Usage (EKU) is an extension to a digital certificate that conforms to the X.509 standard. The EKU defines how the public key in that certificate can be used. It controls the purpose of the certificate by restricting what the certificate can do. Certificates can have more than one EKU.

A certificate with the TLS Web Server Authentication, or "Server Auth" EKU can be used to authenticate a server. Conversely, a certificate with a TLS Web Client Authentication, or "Client Auth" EKU can be used by a client to authenticate into a server. A certificate with a "Client Auth" EKU is required for mutually-authenticated TLS (mTLS), which KV Store uses for both itself and for connections to other Splunk components.

Third-party CAs have traditionally issued public certificates with both EKUs included. This practice was identified as a security risk, prompting a coordinated change with web browser vendors. Consequently, these CAs now require opting in to add the 'Client Auth' EKU to a certificate or refrain from issuing certificates with 'Client Auth' EKUs altogether. This began in September 2025, and by May 2026, many CAs will no longer issue public certificates with "Client Auth" EKUs.

As a Splunk platform administrator, what does this change mean for me?

If your Splunk platform deployment uses public TLS certificates for the following:

Securing of Splunk components, particularly for KV Store or other component-to-component connections
mTLS for any supported connection

this change could affect your deployment. Splunk has already encountered customer incidents where updated certificates without the "Client Auth" EKU caused problems with KV Store and mTLS-configured connections in the deployment. Follow the procedures described later in this topic to determine the steps you must take to ensure that these changes do not affect you.

What do I need to do to ensure these changes do not affect my environment?

Your plan of action depends on the current state of the TLS certificates in your Splunk platform deployment.

If you use third-party certificates to secure your Splunk platform deployment, follow these steps to ensure the deployment continues to operate smoothly:

Confirm that you have downloaded and installed the latest version of the Splunk Cloud Platform Universal Forwarder Credentials Package onto forwarding tier infrastructure that connects to your Splunk Cloud Platform deployment, particularly if the deployment is part of the Federal Risk and Authorization Management Program (FedRAMP).
Confirm that any external indexing Splunk infrastructure that you manage, such as intermediate or heavy forwarders, includes certificates with the appropriate EKUs installed.

If, in the context of securing your Splunk platform deployment, you do any of the following:

Use Splunk Cloud Platform

you do not need to do anything in most cases. There are some exceptions:

If you use the Splunk Cloud Platform Universal Forwarder Credentials Package to connect your forwarding tier to your Splunk Cloud Platform deployment, you must retrieve the latest version of the package and install it into your forwarding tier infrastructure. See No Content found for /db/organizations/splunk/repositories/splunkcloud-10_0_2503/content/documents/DataManagement/Forwarder/Forwarder_Forwarder/ConfigSCUFCredentials/renew_certificates_in_the_splunk_cloud_universal_forwarder_credentials_package.dita.

I want or have to use public TLS certificates for my environment. What can I do?

Currently, most CAs will only issue certificates with the "Server Auth" EKU, and might or might not provide options to add the "Client Auth" EKU. Several CAs have announced that they will no longer provide certificates with the "Client Auth" EKU, and provide workarounds for this change.

Perform the following procedure to ensure that the certificates you receive from your third party CA meet the requirements for your Splunk platform deployment going forward.

If your Splunk Cloud Platform environment is a part of FedRAMP, you might need to upgrade the Splunk Cloud Platform Universal Forwarder Credentials Package with updated certificates. The Splunk Cloud Operations team will contact you regarding next steps.

What happens if I do nothing?

Existing valid certificates remain valid until they expire or become invalid.

The consequences of inaction will surface when you go to renew, reissue, or duplicate these certificates. This is because CAs no longer issue certificates with both EKUs as they did previously.

If a certificate does not have the proper EKUs embedded, Splunk components, and in particular KV Store, rejects the certificate as invalid. This means that these components will not start, which immediately results in a period of downtime until you either install a certificate that meets the EKU requirements or reconfigure your Splunk platform deployment to not use certificates.