Extended Key Usage (EKU) Mismatch
You might be unable to register a new version of a Public TLS certificate because of a EKU mismatch between the versions.
This behavior occurs because Public CAs (DigiCert, Lets Encrypt, and so forth) have removed the Client Authentication Extended Key Usage (EKU) from newly issued public TLS server certificates (effective from January 2026).
When you try to register new certificates in OCI, the following error might appear:
"The certificate's new extended key usages do not match the existing extended key usages."
This occurs because the OCI Certificates service validates that the renewed certificate version has the same EKUs as the previous version. If the earlier certificate included ClientAuth and the new one doesn't, registration is blocked.
This primarily impacts workloads that reuse public TLS certificates for both server authentication and mTLS/client authentication. Standard HTTPS use cases aren't impacted. This is only for any mTLS or server-to-server integration using public TLS certificates for client authentication (including scenarios where a server certificate doubles as a client certificate).
To fix this, perform one of the following procedures:
- Separate the server and client certificates: Use public TLS certificates for server authentication only and issue client authentication certificates from OCI private CA. For more information, see Creating a Certificate.
- If ClientAuth is no longer required, create a new certificate resource in OCI instead of renewing the existing one and replace it in dependent services.