Impact of the sunsetting of Client Authentication EKU in public TLS certificates on JBoss EAP with two-way SSL.

Solution In Progress - Updated -

Issue

  • Major Certificate Authorities (CAs) like DigiCert, Sectigo, and Let's Encrypt are sunsetting the Client Authentication Extended Key Usage (EKU) from their publicly trusted TLS/SSL certificates Digicert External URL. This change will cause client authentication to fail in a two-way SSL/TLS (mTLS) configuration on Red Hat JBoss Enterprise Application Platform (EAP) if you are using these public certificates for client identity.

When a client presents a public TLS certificate that no longer contains the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) object identifier (OID), JBoss EAP will reject the certificate for client authentication during the SSL/TLS handshake, leading to failed connections.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
  • Red Hat Single Sign-On (SSO)
  • Red Hat Build of Keycloak
  • Any other Red Hat products that use two-way SSL/TLS with public certificates for client authentication.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content