Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
4
Helpful
7
Replies

Public certs removing client authentication breaking Expressway

mhurley131
Level 4
Level 4

‎10-24-2025 05:06 AM

I just received my first publicly signed certificate that does not include the client authentication key usage.    Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

mhurley131_0-1761307327517.png

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA.   Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

 

7 Replies 7

Roger Kallberg
VIP
VIP

‎10-24-2025 05:30 AM

Cisco is aware of this. Until May 2026 all the major public CA's should have the option to include the client EKU. This is from the FAQ on Sectigo.

image.png

Found here Deprecation of Client Authentication EKU from Sectigo SSL/TLS Certificates 



Response Signature


mhurley131
Level 4
Level 4
In response to Roger Kallberg

‎10-24-2025 06:47 AM

Thanks, Roger.   I just opened a case with Sectigo, and I'm crossing my fingers that they don't push back too hard on it.

When will a solution be available on the expressway side?   Any idea what a solution would look like?   

Roger Kallberg
VIP
VIP
In response to mhurley131

‎10-24-2025 08:28 AM

Sorry, but no idea on timeline or any details on what this will entail.



Response Signature


0 Helpful

mhurley131
Level 4
Level 4

‎10-24-2025 01:09 PM

Whelp, Sectigo isn't budging.   Their response was:

"We can confirm that SSL/TLS certificates issued or renewed through Sectigo no longer include the Client Authentication EKU, as per their recent deprecation announcement. This change does affect current and future certificate orders, and unfortunately, we are unable to issue SSL certificates with the Client Authentication EKU."

I am going to open a TAC case to have the issue tracked.   Any other recommendations people have on a resolution would be appreciated.

0 Helpful

Roger Kallberg
VIP
VIP
In response to mhurley131

‎10-24-2025 11:00 PM

That suprisingly bad. One might wonder then why they have that kind of wording in their FAQ as that gives the impression that it would be possible to get it included up until the hard stop stated to be May next year.



Response Signature


0 Helpful

Chloeharper
Level 1
Level 1

‎10-24-2025 11:23 PM

Yeah this actually happened to me too. When the public certs stopped using client authentication, Expressway started rejecting connections. I fixed it by reissuing the certs with client auth enabled again after that everything synced fine. Might be worth checking if your cert chain still has that flag included.

Chloe Harper | ARZ Host Team
Helping users with reliable and scalable hosting solutions — arzhost.com

Support: support@arzhost.com
0 Helpful
Customers Also Viewed These Support Documents