Field Notice: FN74372 - Action Required by February 2, 2026: Announcing Cisco Duo Certificate Authority Bundle Expiration - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| Duo Authentication Proxy | - |
Defect Information
| Defect ID | Headline |
| CSCvf34445 | There were no defects filed with this field notice at the time of publication. |
Problem Description
On April 15, 2026, Mozilla and Google Chrome will distrust DigiCert certificates in the Cisco Duo existing certificate authority (CA) pinning bundle. This out-of-band distrust event will affect all Cisco Duo products that use certificate pinning. This affects all Cisco Duo editions: Duo Free, Duo Essentials, Duo Advantage, Duo Premier, Duo Federal Essentials, and Duo Federal Advantage. All types of accounts (paid, trial, free, developer, and partner) are included.
All latest affected product releases now have a new Cisco Duo CA pinning bundle, which contains root certificates issued by a variety of certificate authorities for future redundancy.
In anticipation of this expiration and to manage disruptions and provide support, Cisco Duo will impose a soft cutoff of the expiring CA bundle on February 2, 2026. The change for Cisco Duo products will be permanent on March 31, 2026.
Background
CA Certificate Pinning
A CA is a TLS Certificate Authority. When TLS clients (like web browsers or applications that call the Cisco Duo APIs) connect to a server, they check whether the server has a TLS certificate that is signed by a CA that the client trusts and that matches the server domain name.
If the server does not have a signed, matching certificate, the client immediately closes the connection without sending any data. Most applications simply trust whatever CAs the operating system or browser is configured to trust. The defaults vary slightly between platforms but generally include all CAs that meet the rules set by the CA/Browser (CAB) Forum.
If an application or library deploys its own list of trusted CAs (instead of trusting any CA that the platform where the application runs has been configured to trust), it is said to be pinned to its included CAs. This allows custom criteria for which CAs the code trusts.
Problem Symptom
What happens if action is not taken by February 2, 2026?
Cisco Duo applications that rely on certificate pinning that are not updated by the February 2, 2026, soft cutoff will start to experience connectivity disruption that day, with increasing disruption frequency throughout February 2026 unless there is an approved extension in place. The affected clients could fail to connect to the Cisco Duo cloud service to authenticate users, receive login requests (such as Duo Push requests), import users, or perform management operations through APIs.
Use this time to upgrade or retire remaining affected client applications as shown in the Unsupported Clients Log Admin Panel Report before the March 31, 2026, final deadline.
What happens if action is not taken by March 31, 2026?
Cisco Duo applications that rely on certificate pinning that are not updated before the March 31, 2026, final deadline will fail to connect to the Cisco Duo cloud service to authenticate users, receive login requests (such as Duo Push requests), import users, or perform management operations through APIs. No extensions will be honored.
Important: Applications that are configured to fail open will do so, allowing access without Cisco Duo authentication. Application access will be blocked if the application does not offer a configurable fail mode or if a fail closed configuration was chosen.
Workaround/Solution
Solution
Due to the CA certificate expiration date, Cisco Duo is unable to provide an extension beyond March 31, 2026. Customers must update Cisco Duo software, according to the following table:
| Affected Product | Affected Release | First Fixed Release |
|---|---|---|
| Duo Mobile - Android | 4.84.0 and earlier | 4.85.0 |
| Duo Mobile - iOS | 4.84.0 and earlier | 4.85.0 |
| duo_api_csharp | 1.0.0 and earlier | 1.1.0 |
| duo_api_golang | 0.1.0 and earlier | 0.2.0 |
| duo_api_nodejs | 1.4.0 and earlier | 1.5.0 |
| duo_api_perl | 1.3.0 and earlier | 1.4.0 |
| duo_api_php | 1.1.0 and earlier | 1.2.0 |
| duo_api_ruby | 1.4.0 and earlier | 1.5.0 |
| duo_client_java | 0.7.0 and earlier | 0.7.1 |
| duo_client_python | 5.4.0 and earlier | 5.5.0 |
| libduo | 2.1.0 and earlier | 2.2.0 |
| duo_universal_csharp | 1.2.5 and earlier | 1.3.0 |
| duo_universal_golang | 1.0.3 and earlier | 1.1.0 |
| duo_universal_nodejs | 2.0.3 and earlier | 2.1.0 |
| duo_universal_java | 1.3.0 and earlier | 1.3.1 |
| duo_universal_python | 2.1.1 and earlier | 2.2.0 |
| duo_universal_php | 1.0.2 and earlier | 1.1.0 |
| Duo Access Gateway (DAG) Linux | 2.1.0 and earlier | 2.1.1 |
| Duo Access Gateway (DAG) Windows | 2.1.0 and earlier | 2.1.1 |
| Duo AD FS Adapter | 2.3.0 and earlier | 2.4.0 |
| Duo Authentication for OWA | 2.1.0 and earlier | 2.2.0 |
| Duo Authentication for RD Web | 3.0.0 and earlier | 3.1.0 |
| Duo Authentication for macOS | 2.0.4 and earlier | 2.0.5 |
| Duo Authentication Proxy Linux | 6.5.0 and earlier | 6.5.1 |
| Duo Authentication Proxy Windows | 6.5.0 and earlier | 6.5.1 |
| Duo Network Gateway (DNG) | 3.2.2 and earlier | 3.3.0 |
| Duo OpenVPN | 2.5 and earlier | 2.6 |
| Duo OpenVPN AS | 2.6 and earlier | 2.7 |
| Duo for Oracle Access Manager (OAM) | 2.0.0 and earlier | 2.1.0 |
| Duo Universal WordPress | 1.2.0 and earlier | 1.2.1 |
| Duo Unix | 2.0.4 and earlier | 2.1.0 |
| Duo Log Sync | 2.3.0 and earlier | 2.4.0 |
| Duo Splunk Connector | 2.1.0 | NONE (EoL Product) |
| Duo Epic for Hyperdrive with Duo Universal Prompt (beta) | 1.9.9 and earlier | 1.9.10 |
If no workaround is available, then failure to update affected applications by this deadline will result in the outcomes that are described in the Guide to Update Duo Software.
Workaround
Some Cisco Duo applications may have a workaround available, which could consist of the following:
- Making a configuration change at the client system to disable certificate pinning and CA verification.
- Downgrading to a release of the affected Cisco Duo application that does not perform certificate pinning.
- Manually replacing the CA bundle file at the client.
Note that any workaround is not intended as a permanent solution because it may lessen the security of the Cisco Duo application. It also may not persist across updates or local configuration changes. Using a workaround may also require that an approved extension be in place so that clients using the workaround are not affected by the February 2, 2026, soft cutoff.
Request an Extension
To request an extension to March 31, 2026, fill out the Request for Extension to Duo Clients/Applications Update Timeline form. Requests will be reviewed on a case-by-case basis. Submitters will receive an email confirming the extension.
Note that banners and other guidance shown in the Cisco Duo Admin Panel UI will still reference February 2, 2026. These banners are not dynamic and will not change based on extension status. Refer to the confirmation email to confirm extension status.
How to Identify Affected Products
This affects all Cisco Duo editions: Duo Free, Duo Essentials, Duo Advantage, Duo Premier, Duo Federal Essentials, and Duo Federal Advantage. All types of accounts (paid, trial, free, developer, and partner) are included.
For information about specific releases, see the Guide to Update Duo Software.
Revision History
| Version | Description | Section | Date |
| 1.0 | Initial Release | — | 2026-JAN-29 |
For More Information
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance