重要通知-2025.07.01起，TLS/SSL憑證鏈更新

因應 Chrome 政策規定[註1]，今年7月1日起，TWCA 憑證鏈將更新為 CYBER Root，收到後請務必「安裝新憑證鏈」。 

但如有以下狀況，務必提早安排：

1. 有綁定憑證鏈於 APP 或主機者，可即早佈署新憑證鏈（如下表連結）並安排更新，若無綁定需求者，可待新憑證簽發後再行安裝即可。
2. 新的憑證鏈不再支援具有 clientAuth 功能（用戶端驗證），於緩衝期（2025.07.01~2026.06.15）內有此需求之用戶，請在申請前通知 TWCA，將以「原」憑證鏈簽發。
3. 2026.06.15後仍有 clientAuth 功能(用戶端驗證)需求者，請與 TWCA 洽詢採購此專用憑證。

[註1] https://googlechrome.github.io/chromerootprogram/

Ｑ＆Ａ

Q1：如何知道憑證是否具有「用戶端驗證」功能？

A：開啟憑證後檢查「增強金鑰使用方法」欄位是否具有「用戶端驗證(1.3.6.1.5.5.7.3.2)」，現行 TWCA 所有核發的 TLS 憑證都會具有此功能，而未來依規定 TLS 憑證不得再具有此功能。

Q2：為何原憑證會有「用戶端驗證」功能？

A：未規範前，憑證本身就有支援「用戶端驗證」和「伺服器驗證」；

而新規範則要求憑證不得再支援「用戶端驗證」。

（有使用此種驗證方式者少之又少，故新規範僅影響少量用戶。）

Q3：我有使用「用戶端驗證」功能， 且我的憑證仍在有效期內，這用戶端驗證是否仍有效？

A：是。憑證仍在有效期內的「用戶端驗證」不受影響。

另2025/7/1起，若仍有「用戶端驗證」需求者，務必在申請前告知TWCA，將以原憑證鏈簽發。唯2026/6/15 起，必需遵守新規範，則無法再提供。

Q4：在2026/6/15後，若我仍有「用戶端驗證」的需求，我該怎麼做?

A：可來信至SSLCC@twca.com.tw洽詢此種專用憑證的採購及申請。 

Q5：我們系統要求同時具有「用戶端驗證」和「伺服器驗證」，怎麼辦 ？

A： 2026/6/15前，在申請時有提出此種需求者仍可簽發具上述兩種功能之憑證，

唯建議務必提早更新系統。 若仍需「用戶端驗證」功能者，請參考Q4回答。

Q6：我們網站使用 mTLS 驗證(雙向驗證)，是否受影響？

A：不影響，但要確保用戶端提供的憑證具有「用戶端驗證」功能。

若仍有其他問題，請來電客戶服務中心：(02)2370-8886#9。

臺灣網路認證股份有限公司敬啟

****************************************************

Important Notice - TLS/SSL Certificate Chain Update Effective July 1, 2025

Dear TWCA SSL Certificate Users,

In compliance with Chrome's policy, starting from July 1, 2025, TWCA's certificate chain will be updated to use the CYBER Root. Upon receipt, please ensure you install the new certificate chain.

If any of the following conditions apply, please plan accordingly:

• For users who bind the certificate chain to applications or servers, we recommend deploying the new certificate chain early (see link below) and arranging updates. If there’s no binding requirement, you may install the chain after the new certificate is issued.

• The new certificate chain no longer supports clientAuth functionality. Users needing clientAuth during the transition period (2025.07.01~2026.06.15) must notify TWCA before applying, and we will issue certificates under the "original" chain.

• After June 15, 2026, if you still require clientAuth functionality, please contact TWCA to procure a specialized certificate.

Ｑ＆Ａ

Q1: How can I tell if a certificate supports client authentication?

A: Open the certificate and check the “Enhanced Key Usage” field. If it includes “Client Authentication (1.3.6.1.5.5.7.3.2)”, then it supports clientAuth. All current TWCA-issued TLS certificates include this, but future certificates will not.

Q2: Why do previous certificates have client authentication?

A: Before regulations were in place, certificates commonly supported both server and client authentication. The new policy prohibits clientAuth support. (This affects only a small number of users.)

Q3: My current certificate includes clientAuth and is still valid. Is it still usable?

A: Yes. Existing certificates with clientAuth will remain valid during their lifetime. From July 1, 2025, if clientAuth is needed, inform TWCA in advance to receive a certificate under the original chain. After June 15, 2026, this will no longer be allowed.

Q4: What should I do if I need client authentication after June 15, 2026?

A: Please contact SSLCC@twca.com.tw to request a specialized certificate.

Q5: Our system requires both client and server authentication. What should we do?

A: Certificates supporting both usages can still be issued until June 15, 2026 if requested at application time. Please plan to update your systems accordingly. See Q4 for post-2026 support.

Q6: Will mutual TLS (mTLS) be affected?

A: No. Just ensure the client certificate includes the clientAuth usage.

If you have further questions, please contact our customer service center at (02)2370-8886#9.

Sincerely,

Taiwan-CA Inc.