Microsoft 365 is updating services powering messaging, meetings, telephony, voice, and video to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being m...
Public SSL OEMs planning to stop EKUs (Client Authentication) while issuing from 1st May 2026.
After 1st May 2026, the dual-EKU option will be permanently discontinued meaning only EKU "Server Authentication".
Summary:
=========
Big change coming soon:- Public SSL/TLS OEMs issue certificates with ServerAuth only (EKU = server authentication).
What used to happen:- Historically, all public SSL certs were issued with both ServerAuth and ClientAuth EKUs.
Why it matters:- Systems and /or SIP Endpoints over the internet relying on dual-purpose public certs for mTLS (for a successful VOIP/PSTN calls) will stop TLS communication in SIP environment.
What would be way forward.
Session Border Controller (SBC) → Requires both EKU.
SIP Endpoint over internet → Requires both EKU.
TLS handshakes → require both EKU as depicted in below diagram.
Microsoft