Starting May 2026, public certificate authorities will no longer be issuing certs with Client Authentication Extended Key Usage (EKU). Do you have to make any changes to Tanzu Platform in order to accommodate this change?

https://www.rsaconference.com/library/blog/sunsetting-the-clientauth-eku-what-why-and-how-to-prepare-for-the-change 

Tanzu Platform (TP) is not affected by the EKU change. Certificates used for mTLS within TP are self-signed, not issued by public CA's. See the following example of an mtls_ca_cert from a TAS manifest; note the O=Pivotal in the Issuer:

└─$ openssl x509 -in mtls_ca_cert -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Pivotal
        Validity
            Not Before: Jun 27 05:41:32 2025 GMT
            Not After : Jun 27 05:41:31 2029 GMT
        Subject: C=US, O=Pivotal
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

If a customer runs publicly available apps that make use of mTLS with EKU, they will need to renew the certificates for those apps by the deadline imposed by their Certificate Authority. 

https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates

https://www.rsaconference.com/library/blog/sunsetting-the-clientauth-eku-what-why-and-how-to-prepare-for-the-change