This is a reminder that Duo’s existing CA bundle will expire on April 15, 2026 due to the the Mozilla CA distrust policy. This expiration will affect all Duo products that use certificate pinning. This service change affects all Duo customers and deployments. Once the CA root is distrusted, it can no longer be used to establish trust and secure communication with Duo’s systems. Duo cannot change or extend the Mozilla CA distrust date.
Duo will impose a staged soft cutoff of clients which include the expiring CA bundle on February 2, 2026 so we can manage disruptions and provide support.
We will follow that with a managed hard cutoff of clients which include the expiring CA bundle on March 31, 2026.
To avoid interrupted communications to Duo's cloud service you must update all affected applications and clients that connect to Duo’s servers to a compatible version with the latest CA bundle version by February 2, 2026.
Please review the article How can I make sure I am up to date with Duo's latest applications in time for the Duo root certificate authority bundle replacement? for detailed information and guidance, such as...
- Which products are affected or unaffected.
- How to identify your affected clients and applications.
- Update recommendations for affected Duo products.
- Who to contact about Duo integrations from third-party software vendors.
Questions?
Managed Service Providers may contact their MSP Partner Manager (PM) for additional details, such as the list of affected sub-accounts.
All other customers may contact Duo Support with any questions after reviewing the guidance in the linked knowledge base article.
