• Information

End of TLS Client Authentication Certificates

Effective immediately, public CAs (certification authorities) are no longer permitted to use the Extended Key Usages (EKU) id-kp-clientAuth and id-kp-serverAuth simultaneously in TLS certificates. Those who do not comply with this rule will no longer be included in the Chrome Root Program and will therefore no longer appear in the Trust Store. We provide information about who is affected and what you should do now.

24.10.2025|zuletzt aktualisiert:24.10.2025

More and more CAs are no longer issuing TLS certificates with EKU for client authentication. This means that customers can no longer use their existing “normal” TLS certificates for client authentication.

In practice, this means that systems can no longer authenticate themselves to other email servers—such as Exchange Online—using TLS client authentication certificates.

Customers with automatic certificate generation via NoSpamProxy – new solution in development

Both NoSpamProxy Cloud customers and NoSpamProxy Server customers who use automatic certificate generation for O365 via NoSpamProxy are currently in a grace period until May 2026.

NoSpamProxy obtains its TLS client authentication certificates for O365 via Let’s Encrypt. Let’s Encrypt has provided a special profile for this transition phase that allows pure TLS client auth certificates to be requested.

We have ensured that we are using this transition profile with Let’s Encrypt. We are also already working on developing a permanent and customer-friendly solution, making any necessary adjustments to NoSpamProxy, and informing our customers in a timely manner.

Options for customers without automatic certificate generation via NoSpamProxy

All customers who do not obtain their O365 certificates automatically via NoSpamProxy or who rely on TLS client authentication in their own connectors should check which of the following options is suitable for them:

  • Continue to use TLS client authentication if necessary.
  • Switch to IP filtering.
  • Find a CA that issues individual TLS client authentication certificates in addition to “normal” TLS server certificates and purchase these.
  • Set up a private CA to issue the required certificates yourself.

Important note for Exchange Online customers

NoSpamProxy uses TLS client authentication by default for connecting to Exchange Online. If you use your own certificates, they must come from a trusted CA – otherwise Microsoft will not accept them.

If this is not possible, we recommend switching the connectors to IP-based filtering. This is currently the only directly available alternative in Exchange Online.

Do you have questions or need support?

You will find a dedicated thread on this topic in the NoSpamProxy forum. Please use it for any queries or suggestions.

Go to the thread in the NoSpamProxy forum

Whaling attacks explained: How cybercriminals target executivesWhaling-Angriffe erklärt: So zielen Cyberkriminelle auf Führungskräfte 800x800Intelligentes Greylisting mit NoSpamProxy 800x800Intelligent greylisting with NoSpamProxy