Forum Discussion

simon_o's avatar
simon_o
Copper Contributor
Sep 23, 2025

Client authentication EKU changes in public TLS certificate

Hi, Can someone clarify the upcoming change to remove the client authentication EKU and the conflicting information within MS docs for Teams Direct Routing certificates? As stated here from October...
calling
microsoft teams
Sagir_'s avatar
Sagir_
Copper Contributor
Nov 25, 2025

Same Ask from my side:

Public SSL OEMs planning to stop EKUs (Client Authentication) while issuing from 1st May 2026.
After 1st May 2026, the dual-EKU option will be permanently discontinued meaning only EKU "Server Authentication".

Summary:
=========

•    Big change coming soon:- Public SSL/TLS OEMs issue certificates with ServerAuth only (EKU = server authentication).
•    What used to happen:- Historically, all public SSL certs were issued with both ServerAuth and ClientAuth EKUs.
•    Why it matters:- Systems and /or SIP Endpoints over the internet relying on dual-purpose public certs for mTLS (for a successful VOIP/PSTN calls) will stop TLS communication in SIP environment.

What would be way forward.

•    Session Border Controller (SBC) → Requires both EKU.
•    SIP Endpoint over internet → Requires both EKU.
•    TLS handshakes → require both EKU as depicted in below diagram.

https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates

Resources