HARICA: Issuance of Server TLS Certificates with id-kp-clientAuth KeyPurposeID after CP/CPS cutoff
The bug is a preliminary incident report from HARICA’s public-incident-reports address describing a CP/CPS update failure related to Chrome Root Store Policy changes. HARICA states that Chrome’s Root Store Policy v1.6 required removal of the `id-kp-clientAuth` KeyPurposeID from the `extKeyUsage` extension effective 2026-06-15, and that HARICA updated its CP/CPS v4.9 on 2025-03-14 to incorporate that deadline. HARICA then states that Chrome extended the deprecation date to 2027-03-15 in policy v1.8, but HARICA did not update its CP/CPS to reflect the extension, so it continued to allow `id-kp-clientAuth` in TLS certificates after HARICA’s internal 2026-06-15 CP/CPS cutoff. HARICA reports that all TLS certificates issued after 2026-06-15 00:00:01 (UTC) are affected and will be replaced and revoked within 5 days. The affected certificate profiles were updated to remove the `id-kp-clientAuth` EKU temporarily until an updated CP/CPS was released, and HARICA says a full incident report will be posted no later than 2026-07-30.
- HARICA updated its CP/CPS v4.9 to incorporate the 2026-06-15 removal deadline for id-kp-clientAuth KeyPurposeID in extKeyUsage.
- HARICA’s internal CP/CPS cutoff for allowing id-kp-clientAuth KeyPurposeID in TLS certificates took effect.
- HARICA states that TLS certificates issued after 2026-06-15 00:00:01 (UTC) are affected.
- HARICA posted a preliminary incident report describing affected certificates and planned replacement/revocation within 5 days.
- HARICA — Posted a preliminary incident report stating HARICA continued to allow id-kp-clientAuth in TLS certificates after its 2026-06-15 CP/CPS cutoff, and that affected certificates will be replaced and revoked within 5 days while profiles were updated to remove the EKU temporarily.