Starting in April 2026, major public Certificate Authorities (CAs) will stop issuing TLS certificates that support client authentication. This change may require action if you use self-managed MongoDB with certificates from public CAs. This change only matters if:

• You run self-managed MongoDB (not Atlas)
• You obtain server TLS certificates from a public Certificate Authority

You are not affected if:

• You use MongoDB Atlas
• You use a private/internal Certificate Authority to issue all server TLS certificates
• You disable mTLS in server nodes through the tlsWithholdClientCertificate server parameter (enabled by default)

Please refer to this page to this Technical Advisory for more information.

Resources

• tlsWithholdClientCertificate:
  https://www.mongodb.com/docs/manual/reference/parameters/#mongodb-parameter-param.tlsWithholdClientCertificate
• tlsAllowConnectionsWithoutCertificates: 
  https://www.mongodb.com/docs/manual/reference/parameters/#mongodb-parameter-param.tlsAllowConnectionsWithoutCertificates
• Google Trust Services – clientAuth deprecation:
  https://pki.goog/updates/may2025-clientauth.html
• Let’s Encrypt – ending TLS client authentication:
  https://letsencrypt.org/2025/05/14/ending-tls-client-authentication
• Sectigo – Client Authentication EKU deprecation FAQ:
  https://www.sectigo.com/faq-client-authentication-eku-deprecation
• DigiCert – sunsetting client authentication EKU:
  https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates
• AWS ACM (public CA) – removal of TLS Web Client Authentication EKU: 
  https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-acm-cert