Re: Public certs removing client authentication breaking Expressway

mhurley131 · ‎10-24-2025

I just received my first publicly signed certificate that does not include the client authentication key usage. Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA. Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

Roger Kallberg · ‎10-24-2025

Cisco is aware of this. Until May 2026 all the major public CA's should have the option to include the client EKU. This is from the FAQ on Sectigo.

Found here Deprecation of Client Authentication EKU from Sectigo SSL/TLS Certificates

mhurley131 · ‎10-24-2025

Thanks, Roger. I just opened a case with Sectigo, and I'm crossing my fingers that they don't push back too hard on it.

When will a solution be available on the expressway side? Any idea what a solution would look like?

Roger Kallberg · ‎10-24-2025

Sorry, but no idea on timeline or any details on what this will entail.

Alexis Amaro · ‎10-28-2025

You can monitor:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr73373

mhurley131 · ‎10-24-2025

Whelp, Sectigo isn't budging. Their response was:

"We can confirm that SSL/TLS certificates issued or renewed through Sectigo no longer include the Client Authentication EKU, as per their recent deprecation announcement. This change does affect current and future certificate orders, and unfortunately, we are unable to issue SSL certificates with the Client Authentication EKU."

I am going to open a TAC case to have the issue tracked. Any other recommendations people have on a resolution would be appreciated.

Roger Kallberg · ‎10-24-2025

That suprisingly bad. One might wonder then why they have that kind of wording in their FAQ as that gives the impression that it would be possible to get it included up until the hard stop stated to be May next year.

Chloeharper · ‎10-24-2025

Yeah this actually happened to me too. When the public certs stopped using client authentication, Expressway started rejecting connections. I fixed it by reissuing the certs with client auth enabled again after that everything synced fine. Might be worth checking if your cert chain still has that flag included.

Chloe Harper | ARZ Host Team
Helping users with reliable and scalable hosting solutions — arzhost.com

Support: support@arzhost.com

Mohammadreza Hadi · ‎11-02-2025

It's seems we must wait for expressway version 15.3.2 to this issue been fixing by Cisco..

See this link >>

https://bst.cisco.com/bugsearch/bug/CSCwr73373?rfs=qvlogin

At the end of it, this text is written:

"..Cisco currently working on code enhancement track by this CDETS (target as X15.3.2).."

Also, this link suggests manually uploading certificate files via winscp, but that doesn't solve the problem with MRA services and phones... because right now this mode requires EKU client authentication mandatory..

(Rate by "Helpful" or "Accept") (محمدرضا هادی_ایران) (Email: morez.hadi@gmail.com)

mhurley131 · ‎11-03-2025

Even though Sectigo's published dates say they are removing it by default starting this month, with a hard stop date of May 2026, they are not making exceptions when requested.

We have had a support case open for over a week with escalations, and the most recent response reiterated that they will not add EKU upon request. Their recommendation is: "We recommend taking proactive steps and contacting Cisco support for guidance"

My open TAC case doesn't have workable solution other than trying to escalate with Sectigo. They did note that a Field Notice should be released very soon about this issue.

Has anyone found a Public CA that will still issue a cert with EKU?

Nithin Eluvathingal · ‎11-03-2025

I believe all Public CAs are following the same procedures. With DigiCert, it may be possible to go through the account manager.

Roger Kallberg · ‎11-03-2025

The field note that your reference is very likely the bug note that two people have already mentioned in responses. We also have a support case open with Sectigo, but not for issues related to MRA/Expressway, but a service provider SIP trunk that uses EKU. Will be interesting to see what response we get. TBC

krcollab · ‎11-04-2025

I have a customer running into the same issue with Sectigo certs. If someone find a way to get Sectigo to issue them certs with the EKU or finds another CA who will provide certificates that include it, please post your findings here.
Until Cisco puts out a version of Expressway that doesn't require the field for MRA functionality, there are going to be a lot of Cisco customers with broken systems.

Nithin Eluvathingal · ‎11-04-2025

If I understood correctly, Cisco will take time to adhere to the new changes in the certs, and they are asking us to talk to the CA provider to provide the certs with Client EKU.
One suggestion was to renew the certs in March 2026 so that we get a cert for another year.
If Sectigo doesn't support this, we should talk to other providers like DigiCert, GoDaddy, etc. We are in the process of renewing the certs and have requested GoDaddy to include the Client EKU and are waiting for the new cert.

Helkmann · ‎11-06-2025

We face the same Problem and now try to buy from DigiCert because Sectigo is not willing to help.