topic Re: Public certs removing client authentication breaking Expressway in Collaboration Applications

Public certs removing client authentication breaking Expressway

mhurley131 — Fri, 24 Oct 2025 12:06:35 GMT

I just received my first publicly signed certificate that does not include the client authentication key usage. Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA. Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

Re: Public certs removing client authentication breaking Expressway

Roger Kallberg — Fri, 24 Oct 2025 12:30:37 GMT

Cisco is aware of this. Until May 2026 all the major public CA's should have the option to include the client EKU. This is from the FAQ on Sectigo.

Found here Deprecation of Client Authentication EKU from Sectigo SSL/TLS Certificates

Re: Public certs removing client authentication breaking Expressway

mhurley131 — Fri, 24 Oct 2025 13:47:01 GMT

Thanks, Roger. I just opened a case with Sectigo, and I'm crossing my fingers that they don't push back too hard on it.

When will a solution be available on the expressway side? Any idea what a solution would look like?

Re: Public certs removing client authentication breaking Expressway

Roger Kallberg — Fri, 24 Oct 2025 15:28:09 GMT

Sorry, but no idea on timeline or any details on what this will entail.

Re: Public certs removing client authentication breaking Expressway

mhurley131 — Fri, 24 Oct 2025 20:09:19 GMT

Whelp, Sectigo isn't budging. Their response was:

"We can confirm that SSL/TLS certificates issued or renewed through Sectigo no longer include the Client Authentication EKU, as per their recent deprecation announcement. This change does affect current and future certificate orders, and unfortunately, we are unable to issue SSL certificates with the Client Authentication EKU."

I am going to open a TAC case to have the issue tracked. Any other recommendations people have on a resolution would be appreciated.

Re: Public certs removing client authentication breaking Expressway

Roger Kallberg — Sat, 25 Oct 2025 06:00:22 GMT

That suprisingly bad. One might wonder then why they have that kind of wording in their FAQ as that gives the impression that it would be possible to get it included up until the hard stop stated to be May next year.

Re: Public certs removing client authentication breaking Expressway

Chloeharper — Sat, 25 Oct 2025 06:23:31 GMT

Yeah this actually happened to me too. When the public certs stopped using client authentication, Expressway started rejecting connections. I fixed it by reissuing the certs with client auth enabled again after that everything synced fine. Might be worth checking if your cert chain still has that flag included.

Re: Public certs removing client authentication breaking Expressway

Alexis Amaro — Tue, 28 Oct 2025 17:47:04 GMT

You can monitor:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr73373

Re: Public certs removing client authentication breaking Expressway

Mohammadreza Hadi — Mon, 03 Nov 2025 06:04:52 GMT

It's seems we must wait for expressway version 15.3.2 to this issue been fixing by Cisco..

See this link >>

https://bst.cisco.com/bugsearch/bug/CSCwr73373?rfs=qvlogin

At the end of it, this text is written:

"..Cisco currently working on code enhancement track by this CDETS (target as X15.3.2).."

Also, this link suggests manually uploading certificate files via winscp, but that doesn't solve the problem with MRA services and phones... because right now this mode requires EKU client authentication mandatory..

Re: Public certs removing client authentication breaking Expressway

mhurley131 — Mon, 03 Nov 2025 21:41:57 GMT

Even though Sectigo's published dates say they are removing it by default starting this month, with a hard stop date of May 2026, they are not making exceptions when requested.

We have had a support case open for over a week with escalations, and the most recent response reiterated that they will not add EKU upon request. Their recommendation is: "We recommend taking proactive steps and contacting Cisco support for guidance"

My open TAC case doesn't have workable solution other than trying to escalate with Sectigo. They did note that a Field Notice should be released very soon about this issue.

Has anyone found a Public CA that will still issue a cert with EKU?

Re: Public certs removing client authentication breaking Expressway

Nithin Eluvathingal — Mon, 03 Nov 2025 23:28:01 GMT

I believe all Public CAs are following the same procedures. With DigiCert, it may be possible to go through the account manager.

Re: Public certs removing client authentication breaking Expressway

Roger Kallberg — Tue, 04 Nov 2025 06:27:27 GMT

The field note that your reference is very likely the bug note that two people have already mentioned in responses. We also have a support case open with Sectigo, but not for issues related to MRA/Expressway, but a service provider SIP trunk that uses EKU. Will be interesting to see what response we get. TBC

Re: Public certs removing client authentication breaking Expressway

krcollab — Tue, 04 Nov 2025 23:08:33 GMT

I have a customer running into the same issue with Sectigo certs. If someone find a way to get Sectigo to issue them certs with the EKU or finds another CA who will provide certificates that include it, please post your findings here.
Until Cisco puts out a version of Expressway that doesn't require the field for MRA functionality, there are going to be a lot of Cisco customers with broken systems.

Re: Public certs removing client authentication breaking Expressway

Nithin Eluvathingal — Wed, 05 Nov 2025 05:27:00 GMT

If I understood correctly, Cisco will take time to adhere to the new changes in the certs, and they are asking us to talk to the CA provider to provide the certs with Client EKU.
One suggestion was to renew the certs in March 2026 so that we get a cert for another year.
If Sectigo doesn't support this, we should talk to other providers like DigiCert, GoDaddy, etc. We are in the process of renewing the certs and have requested GoDaddy to include the Client EKU and are waiting for the new cert.

Re: Public certs removing client authentication breaking Expressway

Helkmann — Thu, 06 Nov 2025 14:05:10 GMT

We face the same Problem and now try to buy from DigiCert because Sectigo is not willing to help.

Re: Public certs removing client authentication breaking Expressway

samuel.gay — Thu, 06 Nov 2025 14:13:42 GMT

FYI 2 days ago I tried to get a new certificate with Gandi (which relies on Digicert or Sectigo). In both case I get only a certificate with "TLS Server authentication" EKU. From what I see with Gandi you don't have the possibily to request "TLS client authentication" EKU.

According to Digicert KB it is still possible to request a certificate with "TLS client authentication" EKU: https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates#october.

Re: Public certs removing client authentication breaking Expressway

krcollab — Thu, 06 Nov 2025 22:01:31 GMT

Checking back to see if anyone has successfully received a certificate from a CA with the client EKU. I know many people were trying other providers but I have yet to hear of anyone actually receiving a cert.

Re: Public certs removing client authentication breaking Expressway

krcollab — Mon, 10 Nov 2025 16:41:35 GMT

Did you try Digicert and did they provide you with a cert in the end that had the EKU?

Re: Public certs removing client authentication breaking Expressway

Manual404 — Tue, 11 Nov 2025 08:59:15 GMT

I guess it's time for ExpressWay decomm.

Re: Public certs removing client authentication breaking Expressway

Roger Kallberg — Tue, 11 Nov 2025 12:18:46 GMT

There will be an update of the operating system in Expressway that handles certificates not having the EKU. In this thread it’s been referred to two times.