Comment by nickf

Server certs will be losing the clientAuth EKU this year, so those will be out. SMIME certs may start to drop it too. I don’t know many CAs that will do a clientAuth only cert from a public CA, largely because it’s unnecessary. If it’s for auth, use a private CA.