Field Notice: FN74382 - Cisco Unified Contact Center Products: Impact on Secure Communication Due to Upcoming Changes to TLS certificates Issued by Public Certificate Authorities with Client Authentication EKU, Starting March 2027 - Workaround Provided

Available Languages

Updated:March 30, 2026

Document ID:FN74382

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Critical

Impact Rating:

Critical

First Published:

2026-Mar-30

Last Published:

2026-Mar-30

Revision:

1.0

Cisco Bug IDs:

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Cisco Customer Voice Portal Software Releases	12	12.5(1), 12.6(2)	All releases are affected.
Cisco Customer Voice Portal Software Releases	15	15.0(1)	All releases are affected.
Cisco Virtualized Voice Browser Software Releases	12	12.5(1), 12.6(1), 12.6(2)	All releases are affected.
Cisco Virtualized Voice Browser Software Releases	15	15.0(1)	All releases are affected.
Finesse Software	12	12.5(1), 12.6(1), 12.6(2)	All releases are affected.
Finesse Software	15	15.0(1)	All releases are affected.
Packaged Contact Center Enterprise Virtual Machine Templates	12	12.5(1), 12.6(1), 12.6(2)	All releases are affected.
Packaged Contact Center Enterprise Virtual Machine Templates	15	15.0(1)	All releases are affected.
Unified Contact Center Enterprise Virtual Machine Templates	12	12.5(1), 12.6(1), 12.6(2)	All releases are affected. All releases are affected.
Unified Contact Center Enterprise Virtual Machine Templates	15	15.0(1)	All releases are affected.
Unified Intelligence Center Software	12	12.5(1), 12.6(1), 12.6(2)	All releases are affected.
Unified Intelligence Center Software	15	15.0(1)	All releases are affected.

Defect Information

Defect ID	Headline
CSCwt38851	Support for Separate Server and Client Certificate Support for CUIC
CSCwt23909	Support for Separate Server and Client Certificate Support for PCCE
CSCwt23908	Support for Separate Server and Client Certificate Support for UCCE
CSCwt38849	Support for Separate Server and Client Certificate Support for Finesse
CSCwt38846	Support for Separate Server and Client Certificate Support for Virtual VoiceBrowser
CSCwt38841	Support for Separate Server and Client Certificate Support for Cloud Connect

Problem Description

Effective March 2027, the Chrome Root Program Policy will restrict root certificate authority (CA) certificates that are included in the Chrome Root Store, phasing out multi-purpose roots to align all public-key infrastructure (PKI) hierarchies to serve only TLS server authentication use cases.

This constraint includes root CAs that assert an Extended Key Usage (EKU) only for server authentication (id-kp-serverAuth). As a result, certificates issued by a public root CA with only Server Authentication EKU will not be valid for client authentication in mutual TLS (mTLS) setups.

Note: The effective date of the Chrome Root Program Policy is subject to change. For the most up-to-date information, see the Chrome Root Program Policy.

Background

To meet the Chrome Root Program Policy requirement, effective March 2027, public root CAs that are part of Chrome Root Store will be restricted to Server Authentication EKU only, effectively sunsetting the Client Authentication EKU from the store. As a response, public CA servers will stop issuing Client Authentication EKU certifications before March 2027. This date might change, and timelines will be decided by the CAs.

Certificates must include only Server Authentication EKU to maintain trust from the Google Chrome browser. Including the Client Authentication EKU in these certificates will be prohibited.

Although certain public root CAs continue to issue certificates containing the Client Authentication EKU, they will eventually be removed from the Chrome Root Store.

Certificates that are used for mTLS connections in Cisco Unified Contact Center products are expected to include both Server and Client Authentication EKUs. Customers could choose to have these certificates from public CA providers.

Server Authentication EKU-only certificates that are provided by public root CAs can break certificate validity, leading to potential authentication issues in Cisco Unified Contact Center products and affecting proper functionality.

For more details, see the Chrome Root Program Policy.

Problem Symptom

Cisco Unified Contact Center products can be affected by potential authentication issues and impacted functionality due to broken certificate validity that is caused by using Server Authentication-only certificates provided by public root CAs.

Workaround/Solution

Before considering workaround and solution options, audit current certificates. Prepare an inventory of all public TLS certificates to identify which certificates contain the Client Authentication EKU. 

Workaround

Administrators can choose from one of the following workaround options.

Option 1: Switch to public root CAs that provide combined EKU certificates

Some public root CAs, such as DigiCert and IdenTrust, issue certificates with combined EKU types (server and client certificates) from an alternative root, which may not be included in the Chrome Root Store. Coordinate with the CA provider to check the availability of such certificates, and, before deploying them, ensure that both the server presenting the certificate and the clients consuming it trust the corresponding root CA.

This approach alleviates the need to upgrade server software to mitigate sunsetting of Client Authentication EKU enforced by the Chrome Root Program Policy.

The following table, which shows examples of public root CAs and EKU types, is not an exhaustive list and is for illustrative purposes only.

CA Vendor EKU Type Root CA Issuing/Sub CA

IdenTrust clientAuth + serverAuth IdenTrust Public Sector Root CA 1 IdenTrust Public Sector Server CA 1

IdenTrust clientAuth IdenTrust Public Sector Root CA 1 TrustID RSA ClientAuth CA 2

IdenTrust serverAuth (browser trusted) IdenTrust Commercial Root CA 1 HydrantID Server CA O1

DigiCert clientAuth + serverAuth DigiCert Assured ID Root G2 DigiCert Assured ID CA G2

DigiCert clientAuth DigiCert Assured ID Root G2 DigiCert Assured ID Client CA G2

DigiCert serverAuth (browser trusted) DigiCert Global Root G2 DigiCert Global G2 TLS RSA SHA256

Option 2: Renew current certificates to extend validity

Certificates that were issued by public root CAs before the sunsetting of Client Authentication EKU and that have both Server and Client Authentication EKU will continue to be honored until their term expires. However, it is best to renew combined EKU certificates before policy sunsetting occurs.

To maximize certificate validity, renew certificates before March 15, 2026, when public CAs will reduce maximum validity to 200 days. Note that CA policies vary. Some may implement this change earlier, reducing validity to 200 and 100 days. Work with CA providers to find the appropriate date and path.

Note: Some Public CAs have stopped issuing combined EKU certificates and may not provide one by default. To generate a certificate with a combined EKU, work with public CAs, which may provide special profiles. 

Upgrade servers after the solution mentioned in this field notice is available.

The following image shows the Client Authentication EKU depreciation timeline, which is subject to change. For the most recent information, check with the specific CA:

Option 3: Evaluate and Migrate to Alternatives.

Evaluate the feasibility of transitioning to a private PKI and then set up a private CA to issue single certificates with combined EKUs.

Before issuing or deploying a certificate, ensure that both the server presenting the certificate and all clients consuming it trust the corresponding root CA. Using this approach will alleviate the need to upgrade server software to mitigate sunsetting of Client Authentication EKU that is enforced by the Chrome Root Program Policy.

CA Vendor	EKU Type	Root CA	Issuing/Sub CA
IdenTrust	clientAuth + serverAuth	IdenTrust Public Sector Root CA 1	IdenTrust Public Sector Server CA 1
IdenTrust	clientAuth	IdenTrust Public Sector Root CA 1	TrustID RSA ClientAuth CA 2
IdenTrust	serverAuth (browser trusted)	IdenTrust Commercial Root CA 1	HydrantID Server CA O1
DigiCert	clientAuth + serverAuth	DigiCert Assured ID Root G2	DigiCert Assured ID CA G2
DigiCert	clientAuth	DigiCert Assured ID Root G2	DigiCert Assured ID Client CA G2
DigiCert	serverAuth (browser trusted)	DigiCert Global Root G2	DigiCert Global G2 TLS RSA SHA256

Solution

The following product enhancements will be implemented in the fixed release that is described in the table in this section:

Segregation of client and server certificates: This will enable support for two separate certificates on the same interface, such as Tomcat server certificates (with Server Authentication EKU) and Tomcat client certificates (with Client Authentication EKU) to facilitate mTLS connections. Customers must arrange for Client Authentication EKU certificates from either private PKI or alternate root CAs.
Options for administrators to disable Client Authentication EKU checks: This will allow Cisco Unified Contact Center products to ignore EKU from remote peers (clients) that are requesting a connection with Server Authentication EKU-only certificates. This option will also allow Cisco Unified Contact Center products to (re)use the Server Authentication EKU-only certificate as a client certificate. Note: The remote peer will also have to support a similar Ignore Client Authentication EKU model.

To segregate server and client certificates or to use the Ignore EKU option, upgrade to a fixed release as shown in the following table:

Affected Cisco Product	Affected Releases	First Fixed Release
Unified CCE Packaged CCE Unified CVP Finesse Unified Intelligence Center Virtualized Voice Browser	12.5(1), 12.6(1), 12.6(2), 15.0(1), 15.0(1)SU1	15.0(1)SU2 (future release Q4CY26)

Revision History

Version	Description	Section	Date
1.0	Initial Release	—	2026-MAR-30

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)