I just received my first publicly signed certificate that does not include the client authentication key usage. Apparently this is an industry change happening:
Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.
If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA. Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.
Is Cisco aware of this change and is there a recommended path forward?
FYI I just renew a certificate with Digicert. I confirm that is still possible to get a certificate with EKU server and client authentication, you just need to configure it in the settings first:
