Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3395
Views
17
Helpful
30
Replies

Public certs removing client authentication breaking Expressway

mhurley131
Level 4
Level 4

‎10-24-2025 05:06 AM

I just received my first publicly signed certificate that does not include the client authentication key usage.    Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

mhurley131_0-1761307327517.png

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA.   Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

 

7 people had this problem
30 Replies 30

samuel.gay
Level 1
Level 1

‎11-06-2025 06:12 AM - edited ‎11-06-2025 06:13 AM

FYI 2 days ago I tried to get a new certificate with Gandi (which relies on Digicert or Sectigo). In both case I get only a certificate with "TLS Server authentication" EKU. From what I see with Gandi you don't have the possibily to request "TLS client authentication" EKU.

According to Digicert KB it is still possible to request a certificate with "TLS client authentication" EKU: https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates#october.

image.png

0 Helpful

krcollab
Level 4
Level 4
In response to samuel.gay

‎11-10-2025 08:41 AM

Did you try Digicert and did they provide you with a cert in the end that had the EKU?

0 Helpful

krcollab
Level 4
Level 4

‎11-06-2025 02:01 PM

Checking back to see if anyone has successfully received a certificate from a CA with the client EKU.  I know many people were trying other providers but I have yet to hear of anyone actually receiving a cert.  

0 Helpful

Manual404
Level 1
Level 1

‎11-11-2025 12:59 AM

I guess it's time for ExpressWay decomm.

0 Helpful

Roger Kallberg
VIP
VIP
In response to Manual404

‎11-11-2025 04:18 AM

There will be an update of the operating system in Expressway that handles certificates not having the EKU. In this thread it’s been referred to two times.



Response Signature


0 Helpful

krcollab
Level 4
Level 4
In response to Roger Kallberg

‎11-11-2025 07:00 AM

I saw that, but it doesn't help our customer whose system is already dead in the water or any customers whose certs expire before whatever future date the non-EKU version is released.  

 

Mohammadreza Hadi
Level 3
Level 3
In response to krcollab

‎11-11-2025 07:23 AM

dear @krcollab 

Here in cisco forum, peoples work & post voluntarily..
and they have no responsibility at Cisco..

We are also involved in this issue and have many problems..

(Rate by "Helpful" or "Accept") (محمدرضا هادی_ایران) (Email: morez.hadi@gmail.com)
0 Helpful

krcollab
Level 4
Level 4
In response to Mohammadreza Hadi

‎11-11-2025 07:49 AM

I didn't think anyone in the conversation was from Cisco or in any way responsible for the issue.  The issue itself isn't Cisco's fault, it's a change pushed by the CAs.  I was just pointing out, because of the statement "In this thread it’s been referred to two times" that I am aware that Cisco is planning on releasing an Expressway version with a workaround.  However, that doesn't fix currently-broken or soon-to-be-broken systems so I've been asking in the thread whether anyone has been successful in actually receiving a cert with the EKU from any CA, as that is currently the only way to get things working again. 

0 Helpful

Roger Kallberg
VIP
VIP
In response to krcollab

‎11-11-2025 08:11 AM

We just got Sectigo to issue us new certificates that includes EKU. So it is possible to get the public CAs to live up to what they states in their FAQs that between October 7 through May next year it should be possible to get a certificate that includes EKU.



Response Signature


mohammedali.dalvi
Level 1
Level 1

‎11-12-2025 12:55 AM

Faced the same issue with Sectigo, exceptions only supports if you have enterprise certificate manager.

robert.gartley
Level 1
Level 1

‎11-20-2025 05:29 AM

I have a working solution for this issue using WinACME and Let's Encrypt CA and will be posting the details on how to generate the needed cert later today. I ran into this same issue with our Exp-E and was able to get the new cert loaded with less than 2hrs of validity on the Sectigo cert. It came down to the wire but it does work. Stay tuned....

samuel.gay
Level 1
Level 1
In response to robert.gartley

‎11-20-2025 05:49 AM

How long is the validity of the certificate using WinACME and Let's Encrypt CA? 90 days? I don't remember, is there a option to renew it automatically?

0 Helpful

robert.gartley
Level 1
Level 1
In response to samuel.gay

‎11-20-2025 06:05 AM

Here's what I communicated to my SLT...

1. Let’s Encrypt certificates are only valid for 90 days and this certificate will expire on 2/17/2026. This is unlike our certificates from Sectigo which were valid for 365 days.
2. Although Let’s Encrypt supports the Automatic Certificate Management Environment (ACME) protocol, to retrieve the correct certificate attributes, the renewal process will be manual as it was this evening.

My thoughts are a working solution is better than no solution and it's no more manual than it was before as I wasn't using ACME.

0 Helpful

robert.gartley
Level 1
Level 1

‎11-20-2025 01:11 PM - edited ‎11-21-2025 12:03 PM

Here's my working solution that I used to manually generate Let's Encrypt SSL certificates that have the Client Authentication EKU. This solution works at the time of this posting.

 

Cisco Expressway-E using a manual Let's Encrypt certificate with the Client Authentication EKU.
 
First, this solution is provided without support. As this worked for me, it should work for others as well, but use at your own risk.
 
Secondly, let me apologize as I've tried to spell this out as much as much as possible. Although some of the instructions may seem obvious, this is written for that other guy that may not how to do everything.
 
Finally for these examples, my TLD is foo.bar and the FQDN of my Expressway-E is expe.foo.bar.
 
EDIT - It's documented by Let's Encrypt that beginning Oct 1st. 2025, you'll need to use a new "tlsclient" ACME profile to retrieve a certificate with the Client Authentication EKU. We obviously didn't need to do this at this time. Should LE start enforcing this, you can modify the c:\WinACME\settings.json file to add the ACME profile to the request and you should be good to go.
{
  "profile": "tlsclient",
  "identifiers": [
    { "type": "dns", "value": "foo.bar" }
  ]
}

 

Other than that, let's go.
 
Pre-requisites:
1. Must have the ability to generate CSR's on your Cisco Expressway-E
2. Must have the ability to upload new Certificate CA and Server Certificates to both the Cisco Expressway-E and Expressway-C appliances.
3. Must have the ability to add new TXT records to both your internal and external DNS servers. This is how Let's Encrypt will verify your ability to request certificates for your domain.
 
Procedure
1. On your Expressway-E, login and navigate to Maintenance > Security > Server certificate and fill out the needed fields to request your cert.
(We multi-SAN certs here so for this example I'm entering expe.foo.bar,foo.bar in the field titled Additional alternative names (comma separated))
2. Click Generate CSR
3. Open a cmd prompt running as Administrator
4. Create a directory called c:\WinACME
5. Create a directory called c:\WinACME\Certificates
6. Create a directory called c:\WinACME\CSRs
7. Download WinACME 2.2.9.1 (recommended) and extract all files to c:\WinACME
8. Generate and download the CSR from Expressway and save the file to c:\WinACME\CSRs
9. From the cmd prompt type wacs.exe and hit Enter
10. Press M for "Create certificate (full options)"
11. Press 3 for "CSR created by another program"
12. At the PkFile prompt, just press Enter. Remember the private key is still on the Expressway-E
13. At the CsrFile prompt, type in the path to your CSR file and hit enter
(e.g. c:\WinACME\CSRs\expe.foo.bar.csr)
14. You are prompted to enter a Friendly name. Simply type in the name of your domain otherwise it will look weird.
(e.g., expe.foo.bar)
15. Press 4 for "Single Certificate". It does this due to the the multi-SAN requirements in the CSR request where WinACME sees multiple domains.
16. Press 6 for "[dns] Create verification records manually (auto-renew not possible)"
17. Press 3 for "PFX archive". This will save the PFX file to a location of your choice
18. At the File path: prompt enter the path to your Certificates directory at c:\WinACME\Certificates\
19. Press 1 for "None" as we don't need a .PFX password on the file.
20. Press 5 for "No (additional) store steps"
21. Press 3 for "No (additional) installation steps"
22. Press y to read LE Terms of Service
23. Press y to accept the LE Terms of Service
24. Enter an email address for notifications and hit Enter
(A distribution list email like cert-admins@foo.bar is great for this)
 
This is where things get interesting as LE want's to ensure that your authorized to make Certificate requests on behalf of your domain. We have two domains because we're using multi-SAN certificates, so we'll be doing this twice. 
 
You'll need to to create two TXT records. One on your Internal DNS servers that your workstation running WinACME can resolve to and the other on your External DNS servers that LE can resolve to.
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [expe.foo.bar] Authorizing...
 [expe.foo.bar] Authorizing using dns-01 validation (Manual)
 
Domain:              expe.foo.bar
Record:              _acme-challenge.expe.foo.bar
Type:                TXT
Content:             "bL8tcxxxxxxxxxxxxxxxxxxxxxxxxxxxxx723A"
Note:                Some DNS managers add quotes automatically. A single set is needed.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
You can read about the different challenge types here but this is using DNS-01. 
 
This can also take a couple of minutes. You've just added a new TXT and it will need to propagate. Use MXtoolBox SuperTool to verify that it's propagated.
 
Once verified that the new TXT record is visible externally and internally, go back to your command Window.
 
25. At the "Please press <Enter> after you've created and verified the record" prompt, press Enter.
 
Here will you see something similar to the below..
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [expe.foo.bar] Preliminary validation succeeded
 [expe.foo.bar] Record bL8tcxxxxxxxxxxxxxxxxxxxxxxxxxxxxx723A successfully created
 [expe.foo.bar] Preliminary validation succeeded
 [HTTP] Request completed with status BadRequest
 First chance error calling into ACME server, retrying with new nonce...
 [expe.foo.bar] Authorization result: valid
 
Domain:              expe.foo.bar
Record:              _acme-challenge.expe.foo.bar
Type:                TXT
Content:             "bL8tcxxxxxxxxxxxxxxxxxxxxxxxxxxxxx723A"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
You can see the HTTP validation failed, but at the end the DNS authorization result was valid. The WinACME instance we're using is now authorized to make certificate requests now, and for future renewals, for expe.foo.bar. Technically the DNS challenge is no longer needed and you can delete the TXT records from your DNS servers if you'd like, but I was a bit paranoid so I will do this once I have the certs in the end. 
 
26. Press Enter to acknowledge you deleted the TXT records.
 
Remember that during our CSR request, this is a Multi-SAN cert so we're going to need to authorize for the TLD as well. You will now see something like the following. Note how this request is for foo.bar and the previous was expe.foo.bar.
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [foo.bar] Authorizing...
 [foo.bar] Authorizing using dns-01 validation (Manual)
 
Domain:              foo.bar
Record:              _acme-challenge.foo.bar
Type:                TXT
Content:             "DMoexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbSO4"
Note:                Some DNS managers add quotes automatically. A single set
                     is needed.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
Again, you'll need to to create two TXT records. One on your Internal DNS servers that your workstation running WinACME can resolve to and the other on your External DNS servers that LE can resolve to. Once verified that the new TXT record for your TLD is visible externally and internally, go back to your command Window.
 
27. At the "Please press <Enter> after you've created and verified the record" prompt, press Enter.
 
Like the previous cert, you'll see something like below
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [foo.bar] Preliminary validation succeeded
 [foo.bar] Record DMoeT4K5bkGSLHnBJTUez2kJssgARoZV_jHFT7ObSO4 successfully created
 [foo.bar] Preliminary validation succeeded
 [HTTP] Request completed with status BadRequest
 First chance error calling into ACME server, retrying with new nonce...
 [foo.bar] Authorization result: valid
 
Domain:              foo.bar
Record:              _acme-challenge.foo.bar
Type:                TXT
Content:             "DMoexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbSO4"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
Again, the DNS challenge is no longer needed and you can delete the TXT records from your DNS servers if you'd like, I'll be waiting until the end.
 
28. Press Enter to acknowledge you deleted the TXT records.
 
WinACME will want to add an automated task. This great for IIS servers, but we're not doing that here. 
 
29. At the "Do you want to specify the user the task will run as?", press N.
30. Press q to Quit WinACME. 
(Don't worry, we'll go back in to talk about renewals)
 
If you now navigate to the C:\WinACME\Certificates\ directory on your PC, you'll see a new expe.foo.bar.pfx file.
 
31. Right click on the .PFX file to open the .PFX file in Certmgr.
32. Path down the the certificates, right click on expe.foo.bar and click Open.
(Here you can click on the Details tab and check the Enhanced Key Usage attribute to ensure you have both Server and Client Authentication as well as the Subject Alternative Name section to ensure we have both the expe.foo.bar and foo.bar DNS names in there)
33. On the General Tab, at the bottom of the Certificate box click the Install Certificate... box
34. Select Current User and click Next
35. Select Automatically select the certificate store based on the type of certificate and click Next.
36. Click Finish
37. Click Ok on The import was successful box
38. Click OK to close the expe.foo.bar certificate
39. Right click on the R12 Issuing CA certificate and click Open.
(I've seen R12 and R13, but there may be others. I'll be using R12 for this example)
(Note the name of the CA server that issued the Issuing Certificate as we'll need to download that. In this case it's ISRG Root X1)
40. At the bottom of the Certificate box click the Install Certificate... box
41. Select Current User and click Next
42. Select Automatically select the certificate store based on the type of certificate and click Next.
43. Click Finish
44. Click Ok on The import was successful box
45. Click OK to close the R12 certificate
46. Download the appropriate Root CA certificate by going to https://letsencrypt.org/certificates/, go to the proper CA Server section, download the .PEM version of the certificate, and save it to the c:\WinACME\Certificates\ directory.
 
Now that we have the Root CA .PEM cert, we need to export the installed certs from our computer to .PEM format.
 
47. Right click the Windows start button and select Run.
48. In the Open dialog box type mmc.exe and hit Enter.
49. Click File, Add/Remove Snap-in..., select Certificates, click Add, select My user account, and click Finish.
50. On the Add or Remove Snap-ins box click OK.
51. At the top of the Left Window pane, Right click on the Certificates - Current User and select Find.
52. Search using the following attributes
Find: All certificate stores
Contains: expe
Look in Field: Issued To
Click Find Now
53. Right click on the expe.foo.bar certificate and click Export...
54. On the Export Wizard welcome screen, click Next.
55. Select Base-64 encoded X.509 (.CER) an click next.
56. In the file name section type c:\WinACME\Certificates\expe.foo.bar.pem.cer and click Next
57. Click Finish
58. Click OK on the successful export box.
59. In the Find Certificates box, change Contains: expe to Contains: R12, which is our Issuing CA certificate, and click Find Now
60. Right click the R12 certificate and click Export...
61. On the Export Wizard welcome screen, click Next.
62. Select Base-64 encoded X.509 (.CER) an click next.
63. In the file name section type c:\WinACME\Certificates\R12.pem.cer and click Next
64. Click Finish
65. Click OK on the successful export box.
66. Close the Find Certificates dialog box
 
Using Window Explorer, navigate back to c:\WinACME\Certificates\
 
67. Rename expe.foo.bar.pem.cer to expe.foo.bar.pem
68. Rename R12.pem.cer to R12.pem
 
You now have all certificates you need for the Expressway-E
 
69. On your Expressway-C, login and navigate to Maintenance > Security > Trusted CA Certificate and upload the new LE Root and Issuing certificates. These are use to trust the certificate communication from the Expressway-E.
70. On your Expressway-C, login and navigate to Maintenance > Restart options, and select Restart so that the new certificates are read into the store. MRA devices may disconnect and register at this time.
71. On your Expressway-E, login and navigate to Maintenance > Security > Trusted CA Certificate and upload the new LE Root and Issuing certificates.
72. On your Expressway-E, login and navigate to Maintenance > Security > Server certificate, and upload your new LE Server Certificate.
73. On your Expressway-E, login and navigate to Maintenance > Restart options, and select Restart so that the new certificates are read into the store. MRA devices may disconnect and register at this time.
 
Test accordingly.
 
Once everything has tested successfully, you can now delete all TXT records from your Internal and External DNS servers.
 
What about Certificate Renewals?
 
So what happens when you need to renew your certificate. Good question! I've not had to do that. 
 
One option that may work is to simply fire up that cmd prompt in Administrator mode, navigate to the c:\WinACME directory, and run wacs.exe. When ran, you can see in the "A: Manage renewals" section that there is "1 total" available. Here you have the ability to renew your certificate. Download it and convert it to .PEM format using the procedures above. Once converted, you can log into your Expressway-E, login and navigate to Maintenance > Security > Server certificate, check the "Re-use current private key" check box, and upload your new LE Server Certificate. That should be it.
 
The other option, which is the worst case, is that you go into WinACME, in the "A: Manage renewals" section, you revoke and cancel your certificates for renewal, and start this procedure from scratch. 
 
Either way, if this helps at least one person, I'll be happy. 

 

nafnick
Community Member

‎11-26-2025 08:18 AM

Is anyone able to share any insight into what is actually being authenticated with the certificates that require clientAuth EKU? Or how they're being used?
These are 'server certificates' (or 'SSL') that are issued for domain names, for TLS. In the case where they're used to authenticate *to* a Cisco device or platform...what authentication is done?

The instructions above for Let's Encrypt don't seem to involve ensuring the certificate contains any specific information of any kind.
It seems what it's being used for is 'the other server has a certificate on it' - where the barrier to entry to get that certificate is simply...having access to the internet.

It doesn't seem like there's any actual authentication going on with the certificate, so it's confusing to me why it's even used in the first place.

0 Helpful
Customers Also Viewed These Support Documents