From https://letsencrypt.org/2025/05/14/ending-tls-client-authent...
"This change is prompted by changes to Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let’s Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline."
TL;DR blame Google
Google didn't force lets encrypt to totally get out of the client cert business, they just decided it wasn't worth the effort anymore.
Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.
Feel free to start your own non-profit to issue client certs signed by a public authority.
As LE says, most users of client certs are doing mtls and so self-signed is fine.
> they just decided it wasn't worth the effort anymore
That seems disingenuous. Doesn't being in the client cert business now require a lot of extra effort that it didn't before, due entirely to Google's new rule?
No, not really. Unless you consider basic accountability "extra effort".