Client Certificates for EPP
Changes to EPP Client certificate validation.
In June 2025, we identified an upcoming shift in the marketplace for client certificates which are used for EPP authentication on Nominet’s RSP platform.
The technical change by Certificate Authorities
Public Certificate Authorities (CAs) are moving toward removing the ClientAuth Extended Key Usage (EKU) bit from certificates. Once removed, these certificates will no longer be valid for client-side authentication.
Currently, Nominet’s RSP platform, which supports gTLDs, .GOV.UK, .PN, as well as the .UK future-state testbed, requires the EKU bit in the client certificate to validate EPP connections. Without this bit, validation will fail.
Security recommendations for the use of certificates are also moving towards an ever decreasing period of validity requiring regular replacement of certificates.
Timeline & Availability for client certificates
By March 2027, it will no longer be possible to obtain new client certificates with the EKU bit from any public certificate chain. Existing client certificates will remain valid until their expiry date. Currently, we are aware of the following providers still issuing these certificates until the listed dates.
| Certificate Authority | Date from which client certificates will not be issued. |
|---|---|
| Certum | 2026-05-15 |
| Let’s Encrypt | 2026-07-08 |
| GlobalSign | 2026-09-13 |
| Sectigo | 2027-02-10 |
| IdenTrust | 2027-02-01 |
| DigiCert | 2027-03-01 |
You may need to specifically request a client certificate as the default for some is to issue without the EKU bit set.
| NOTE: At this time registrars should continue to utilise client certificates with an EKU bit set issued by a public CA to connect to Nominet’s RSP platform. We are in the process of putting in place a method to mitigate these changes. |
|---|
Strategic Drivers for Changes in EPP client validation
Given these industry constraints, our current implementation of client certificate validation must evolve. Additionally,this provides an opportunity to address frequent requests from registrars seeking cloud-native environments that move away from fixed IP address allow listing dependencies.
Planned Update: EPP Authentication & Validation
Nominet is updating the certificate handling process for EPP validation on our RSP platform. This shift aims to address the public certification changes and to increase flexibility for cloud-native environments whilst maintaining robust security.
IP Allow-Listing
To better support dynamic infrastructure, we will remove the requirement for IP allow-listing on EPP connections. Authentication will transition to being validated based on the certificate presented by the client; username and password.
Certificate Validation Models
We will support any certificates issued by public Certificate Authorities (CAs), private CAs, or self-signed certificates. To authenticate via EPP, registrars must pre-share public certificate elements with Nominet.
Initial Method: Online Services (Manual Upload)
Registrars will be able to upload public certificate directly to their account via our Online Services portal.
- Accreditation Linking: Certificates will be stored against the registrar’s specific accreditation.
- Certificate Rotation: Multiple public certificates can be stored simultaneously to facilitate seamless certificate rolling and transitions.
- Validity Limits: Nominet will enforce that a certificate has a valid from date which is less than one year in the past and is valid for at most one year.
We intend to release this authentication option this summer. The release will be backwards compatible for those that have not pre-shared certificates to continue to be limited by IP allow list. On supply of a certificate the IP allow lists will cease to be utilised.
Future automation method: TLSA records in the DNS.
We recognise that the manual sharing of certificates reduces the flexibility for cloud-native environments and reduces the options for short lived certificates from a client. To that end we intend to work on an automated approach utilising Transport Layer Security Authentication (TLSA) records in the DNS. We will confirm further details at a later date.
| If you have questions about your current setup or potential impact, contact Customer Support. |
Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom