Client Auth EKU Hardcoded—Posh-ACME Must Adapt

The New-Csr.ps1 function in Posh-ACME quietly ignores modern CA mandates by hardcoding both IdKPServerAuth and IdKPClientAuth into TLS CSRs - no EKU override, no control. With Chrome blocking clientAuth-issued certificates from June 2026 onward, this unchangeable behavior creates a ticking certificate problem for developers relying on the module. The CA/Browser Forum’s push to strip clientAuth EKU from public trust means once Phase 2 rolls out, current CSRs will be rejected outright - no exceptions, no exceptions, no grace period. Here is the deal: Posh-ACME generates auth keys without EKU authority, risking trust failures at scale.

Client Authentication EKU was once standard, but today it’s a liability. Unlike Let’s Encrypt’s ACME-driven issuance or Genève’ flexible handling, Posh-ACME’s default ignores industry shifts - forcing users into a technical no-man’s-land. Even with Positively Secure’s careful CSR ordering, a clientAuth EKU inclusion now sabotages trust, not strengthens it.

This isn’t just a technical quirk - it’s a cultural moment. US digital culture prizes seamless, secure workflows, yet many tools still rely on rigid, deprecated logic. The real pressure isn’t just technical; it’s about preserving user confidence in a world where certificate trust is invisible yet indispensable. Imagine building a service, confident your auth flows, only to fail at the last mile - because a hardcoded EKU triggered a CA rejection.

But here is a catch: Posh-ACME doesn’t expose a simple flag to disable clientAuth. The power lies in control - either a new order-level EKU parameter or an explicit CSR path. Defaulting to serverAuth only is the cautious default, honoring deprecation timelines. True flexibility means letting users choose, not forcing a one-size-fits-all.

The bottom line: in a world where CA rules evolve faster than code, Posh-ACME must move beyond rigid defaults. Otherwise, convenience becomes a liability - and trust vanishes faster than a certificate chain.