Public certs removing client authentication breaking Expressway - Page 3

mhurley131 · ‎10-24-2025

I just received my first publicly signed certificate that does not include the client authentication key usage. Apparently this is an industry change happening:

https://www.sectigo.com/resource-library/tls-client-authentication-public-ca-end-2026#:~:text=Sectigo%20announced%20that%20starting%20September,no%20exceptions%20will%20be%20granted.

Expressway requires this attribute for the mutual authentication between C & E, and will not accept the certificate.

If we use a certificate signed by a private certificate, non-IT controlled devices will get a warning and/or fail when trying to use MRA. Also, my understanding is that physical phones have a trust list which can not be added to, so they will stop working.

Is Cisco aware of this change and is there a recommended path forward?

robert.gartley · ‎11-28-2025

@nafnick Per the Cisco Expressway Certificate Creation and Use Deployment Guide (X15.0), "The server certificate for the Expressway also needs Client Authentication if you want to configure a neighbor or traversal zone with mutual authentication (TLS verify mode)", which is mTLS. This is so the Exp-E (outside DMZ) can talk to the Exp-C (inside LAN) securely. mTLS is also a requirement for Expressway integration to WebEx as well.

Even if it's not used for anything, the way things stand right now is that the Expressway won't even accept a new certificate without the Client authentication EKU present so that's the larger issue.

samuel.gay · ‎11-26-2025

FYI I just renew a certificate with Digicert. I confirm that is still possible to get a certificate with EKU server and client authentication, you just need to configure it in the settings first: