Let's Encrypt will stop issuing certificates for TLS client authentication after January 2026. They cite low usage, significant operational burden disproportionate to the benefit, and incompatibility with their Automated Certificate Management Environment (ACME) protocol as key reasons. Existing client authentication certificates will continue to function until their expiration date. Let's Encrypt recommends users needing client certificates explore alternative providers like Smallstep or other commercial Certificate Authorities. This decision only affects client certificates, not the much more commonly used server certificates that Let's Encrypt will continue to offer.
Let's Encrypt, a prominent Certificate Authority (CA) providing free X.509 certificates for Transport Layer Security (TLS) encryption, has announced the discontinuation of support for issuing certificates specifically designed for TLS client authentication after January 28, 2026. This decision affects certificates issued under their current ACME v1 protocol. While Let's Encrypt will continue to issue certificates that can technically be used for client authentication, they will no longer offer the dedicated "Client Authentication" issuance policy. This means that after the specified date, users will not be able to request certificates explicitly designated for client authentication through the ACME v1 protocol.
The primary motivation behind this change stems from the relatively low usage of the client authentication feature offered by Let's Encrypt and the associated complexities in maintaining support for it. The resources allocated to supporting this less-utilized feature could be better directed towards improving and strengthening other core services, such as the widely used server authentication certificates, which benefit a much larger user base. Let's Encrypt emphasizes that this change doesn't eliminate the possibility of using their certificates for client authentication entirely. Certificates issued for server authentication, which remain the core focus of Let's Encrypt, can still technically be employed for client authentication purposes. However, relying on server certificates for client authentication is generally discouraged due to potential security implications.
The announcement further clarifies that the discontinuation applies specifically to the ACME v1 protocol. The forthcoming ACME v2 protocol, which Let's Encrypt encourages users to transition to, does not and will not include a dedicated client authentication issuance policy. This underscores Let's Encrypt's strategic decision to streamline their services and concentrate on their primary function of providing free and readily accessible certificates for securing web servers. Users currently relying on Let's Encrypt certificates specifically for client authentication are advised to explore alternative solutions before the January 28, 2026 deadline. They should consider other CAs that offer dedicated client authentication certificates or re-evaluate their authentication architecture to potentially leverage alternative authentication mechanisms.
Summary of Comments ( 7 )
https://news.ycombinator.com/item?id=44018400
HN commenters largely lament Let's Encrypt's decision to end client certificate support. Several express concern about the impact on internal tools and services relying on this authentication method, particularly for smaller organizations or individuals lacking resources to easily migrate. Some suggest alternative solutions like self-signing or using other CAs, but acknowledge these can be cumbersome or expensive. Others question the rationale behind Let's Encrypt's decision, pointing to the continued usefulness of client certificates for specific use cases like SSH access, VPNs, and device authentication. A few commenters express understanding, recognizing the limited demand and potential security complexities associated with client certificates, but still express disappointment at the loss of a free and accessible option.
The Hacker News post discussing Let's Encrypt's ending of TLS client authentication certificate support in 2026 generated a moderate number of comments, primarily focusing on the niche use cases of client certificates and the reasons behind Let's Encrypt's decision.
Several commenters pointed out the limited practical applications of client certificates outside of specific enterprise environments. One user mentioned their use in accessing internal services and VPNs within organizations, highlighting the added security benefit of two-factor authentication without relying on SMS or authenticator apps. Others echoed this, suggesting that client certificates are most prevalent in internal networks and specialized setups, rather than general web browsing.
Some users expressed surprise at Let's Encrypt offering this service at all, emphasizing its rarity in the public web space. They speculated that the low demand, coupled with the complexity of managing client certificates, likely contributed to Let's Encrypt's decision. This aligns with the official statement from Let's Encrypt, which cited low usage and high maintenance costs.
A few commenters discussed the technical aspects of implementing and managing client certificates, noting the challenges involved, especially for average users. One user explained the process of generating certificate signing requests and installing certificates, emphasizing the relative complexity compared to other authentication methods. This reinforces the idea that client certificates are better suited for managed environments where IT support is readily available.
The conversation also touched on alternative methods of authentication, with some suggesting that WebAuthn/FIDO2 offers a more user-friendly and secure approach for two-factor authentication. One commenter highlighted the advantages of WebAuthn in terms of phishing resistance and ease of use, suggesting it as a viable replacement for client certificates in many scenarios.
Finally, a few comments simply acknowledged the news, expressing understanding of Let's Encrypt's decision given the low demand and maintenance burden. This underscores the overall sentiment that while client certificates have their place, they are not widely utilized enough to justify the resources required for their continued support by a free certificate authority like Let's Encrypt.