Effective May 1, 2026, the various Trusted Root Certification Authorities will no longer be issuing SSL Certificates containing both the “serverAuth” and “clientAuth” Extended Key Usage (EKU). Since the various Siebel CRM components, such as Gateways, Application Interfaces, Siebel Servers, and so on currently rely on certificates that include both EKUs, some of you may be worried that your Siebel implementation will stop working the next time your existing certificates expire.
Worry Not!
We will be making changes to our architecture to accommodate this change in the standard.
What Oracle will deliver…
- …the ability to deploy Siebel CRM with two separate certificates—one for server authentication and another for client authentication.
- …installers that will collect information about each certificate required.
- …code changes necessary for each component to use the correct certificate in each situation.
These changes will be available in a Monthly Update before the May 2026 deadline.
Customer Planning
- Commercial CAs will no longer issue any certificates with a clientAuth EKU, so customers will need to find or create an internal CA to provide a clientAuth certificate.
- For customers who will not be able to apply a Monthly Update in the required timeframe, we will provide manual workaround options that each customer can evaluate in cooperation with their security teams.
More details will be provided as we approach this change in the standard.
For more information on the changes to the standard, consider reading this article: https://www.rsaconference.com/library/blog/sunsetting-the-clientauth-eku-what-why-and-how-to-prepare-for-the-change.