Genesys Cloud
Client authentication EKU support removed from Genesys Cloud certificate
| Angekündigt am | Datum des Inkrafttretens | Aha! Idee |
|---|---|---|
| 2025-12-15 | - | - |
In a future release, Genesys Cloud will remove the Client Authentication Extended Key Usage (EKU) from certificates used by BYOC Cloud SIP TLS endpoints. Public certificate authorities are phasing out this EKU across the industry, and Genesys Cloud is aligning with these updated standards.
Historically, BYOC Cloud certificates included the Client Authentication EKU even though BYOC Cloud does not use mutual TLS (mTLS) or client certificate authentication. Standard server-side TLS has always been the supported model, and secure SIP communication continues to rely on that approach. Removing the unused EKU helps ensure that certificate behavior matches actual platform usage and reduces the potential for configuration misunderstandings.
Some customer SIP endpoints may have been configured to request client certificates even though mTLS has never been part of the BYOC Cloud connection model. These configurations appeared to work because existing certificates included the EKU. Aligning certificate contents with intended TLS behavior helps ensure deployments rely on supported security practices going forward.
This update aligns BYOC Cloud with new certificate authority practices and ensures that TLS behavior accurately reflects the platform’s supported security model. Organizations that confirm their SIP endpoints are not configured for client authentication will transition smoothly when certificates begin renewing without the Client Authentication EKU.
What will change
- Certificates issued after February 2026 will no longer include the Client Authentication EKU.
- BYOC Cloud SIP endpoints will no longer present certificates containing that EKU during outbound TLS handshakes.
- Customer endpoints configured to require client authentication may reject TLS connections once certificates renew.
What will not change
- Inbound calls remain unaffected because BYOC Cloud does not request client certificates.
- SIP TLS continues to operate using server-side authentication as designed.
- The Dynamic Voice Cloud Platform BYOC SIP endpoints are already aligned with this model and are not affected.
Required customer action
Customers using the current BYOC Cloud platform should ensure that their SIP endpoints do not request a client certificate during the TLS handshake.
To verify this:
- Capture a TLS handshake for an outbound call.
- Confirm that the customer SIP endpoint does not send a Certificate Request message.
If a Certificate Request is present, update the configuration so the endpoint does not require client authentication or mutual TLS.
