Forum Discussion
Client authentication EKU changes in public TLS certificate
Hi,
Can someone clarify the upcoming change to remove the client authentication EKU and the conflicting information within MS docs for Teams Direct Routing certificates?
As stated here from October 2025 there is an industry wide change to remove the client authentication EKU from issued TLS certificates:
https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates
However, both server and client EKU's are required for mTLS and Microsoft states here that both server and client EKU's are required:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-whats-new#sbc-certificates-eku-extensions-test
Digicert are offering an X9 PKI that includes both server and client EKU's but it seems the signing CA is not trusted by Microsoft at this stage.
What guidance are Microsoft offering with this upcoming change to ensure that customers are not affected when renewing their certificates?
1 Reply
Same Ask from my side:
Public SSL OEMs planning to stop EKUs (Client Authentication) while issuing from 1st May 2026.
After 1st May 2026, the dual-EKU option will be permanently discontinued meaning only EKU "Server Authentication".Summary:
=========• Big change coming soon:- Public SSL/TLS OEMs issue certificates with ServerAuth only (EKU = server authentication).
• What used to happen:- Historically, all public SSL certs were issued with both ServerAuth and ClientAuth EKUs.
• Why it matters:- Systems and /or SIP Endpoints over the internet relying on dual-purpose public certs for mTLS (for a successful VOIP/PSTN calls) will stop TLS communication in SIP environment.What would be way forward.
• Session Border Controller (SBC) → Requires both EKU.
• SIP Endpoint over internet → Requires both EKU.
• TLS handshakes → require both EKU as depicted in below diagram.https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates
