Skip to main content
Blog
  1. Home
  2. Blog
  3. Engineering
  4. Mtls client auth eku certificate update
Scott AusumProduct Manager
SHARE
    engineering

    Client Authentication Certificate Changes: What to know

    11 May 2026

    Update: Client authentication certificate changes and what they mean for you

    If you use mutual TLS (mTLS) certificates to connect with our J.P. Morgan Application Programming Interface (API) and/or Host-to-Host (H2H) services, there are upcoming industry changes to how client authentication certificates are issued.

    We’re taking action to help support you successfully navigate these changes. Provided below is an overview of what’s changing, what stays the same, and how to stay connected without disruption.

    What’s changing

    Recent changes to public trust store and root program policies mean some public Certificate Authorities (CAs) may no longer issue publicly trusted certificates that include the Client Authentication Extended Key Usage (EKU).

    This change reduces risk of misuse or unauthorized access, ending the issuance of “dual-purpose” certificates (forces a separation between server authentication and client authentication).

    Several public CAs have already begun to implement this change. Some trust stores are set to reject such certificates starting March 15, 2027.

    Even for non-browser, server-to-server mTLS, these ecosystem changes can affect certificate issuance and ongoing support.

    Who’s affected

    You’re affected if you need to obtain an mTLS certificate that includes the Client Authentication EKU (e.g., renewal, rotation, compromise response).

    What J.P. Morgan is doing

    In response to this change and to ensure continuity, J.P. Morgan’s Private CA will issue and support mTLS certificates for your API and H2H connections.

    We will enable you to submit a Certificate Signing Request (CSR) through the Payments Developer Portal (PDP), integrating with our private CA to provide a valid certificate for your mTLS connections.

    Our Private CA will provide supported client authentication certificates so you can maintain secure, uninterrupted connectivity. We’re targeting a Q3 2026 release date for this functionality and will provide more information soon. 

    What stays the same

    We will continue to support existing valid certificates until their expiration date. No endpoint changes are required for this transition.

    Timeline at a glance

    • Public CAs: Many may no longer issue certificates with the Client Authentication EKU going forward.
    • Public trust store / CA program policy: Some browsers will reject these certificates starting March15, 2027. 
    • J.P. Morgan support: Our Private CA will provide supported client authentication certificates so you can maintain secure, uninterrupted connectivity. 

    What you need to do now

    No immediate action is required while your current certificates are still valid.

    As your existing mTLS certificates near expiration, review the acceptable Certificate Authorities (CAs) here. Check with these CAs directly to determine if they still provide certificates that include the Client Authentication EKU.

    • If expiring before Q4 2026, use an approved CA listed here (if available).
    • If expiring after Q4 2026, plan to switch to our Private CA.
    • Inventory your mTLS certificates and note expiration dates.
    • Confirm your process for generating CSRs aligns with your organization’s security policies.
    • Ensure your technical and operational contacts are current so we can reach the right teams.

    What’s coming next

    We’re establishing a streamlined and automated process for you to request and obtain certificates from our Private CA. We’ll share additional details ahead of any required action on your side.

    Quick FAQ

    • Will my current connections stop working right away?
      • No. Existing client authentication certificates remain valid until they expire. There’s no immediate change to your current connectivity.
    • Do I need to switch CAs today?
      • You may switch at your convenience, but there is no requirement to renew early. Reference approved CAs and check with them directly to determine if they still provide certificates that include the Client Authentication EKU.
    • How will I request a new certificate from J.P. Morgan?
      • You will submit a CSR through the Payments Developer Portal. We’ll provide step‑by‑step guidance as the process becomes available.
    • When will I be able to request a certificate using J.P. Morgan’s Private CA?
      • We’re targeting a Q3 2026 release date. We will update communications once the delivery date has been confirmed.

    Questions?

    We’re here to help ensure your connections remain secure and uninterrupted:

    Disclaimer

    © 2026 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non-U.S. branches are not FDIC insured. Non-deposit products are not FDIC insured. The statements herein are confidential and proprietary and not intended to be legally binding. Not all products and services are available in all geographical areas. Visit jpmorgan.com/paymentsdisclosure for further disclosures and disclaimers related to this content.

    Updated: 12 May 2026