Cisco prospects and companions who use Cisco gear and providers should concentrate on vital upcoming modifications to public TLS certificates used for consumer authentication, pushed by browser safety insurance policies reminiscent of these from Google Chrome. These modifications have an effect on certificates containing the Consumer Authentication Prolonged Key Utilization (EKU) and require cautious administration of certificates belief shops to keep away from service disruptions.
This text explains the modifications, the function of belief shops, tips on how to confirm and replace them, and steps to make sure your methods stay safe and operational.
Vital Notice: This does NOT have an effect on certificates which might be issued by personal PKI.
What’s Prolonged Key Utilization (EKU) and Why It Issues
Prolonged Key Utilization (EKU) defines the precise functions for which a digital certificates can be utilized. Two widespread EKUs in TLS certificates are:
- Server Authentication (OID 1.3.6.1.5.5.7.3.1): This EKU verifies a server’s id to shoppers, enabling safe HTTPS connections.
- Consumer Authentication (OID 1.3.6.1.5.5.7.3.2): This EKU verifies a consumer’s id to a server, which is crucial for mutual TLS (mTLS) the place each events authenticate one another.
Modifications to Public TLS Certificates
The change, to disallow public TLS certificates from containing the clientAuth EKUs, was initiated by Google Chrome’s root retailer program insurance policies. This may increasingly work effective throughout the boundaries of web-browsing. Nonetheless, Cisco’s ecosystem has completely different safety necessities which embody trusting root certificates for its providers and gear to securely authenticate each shoppers and servers.
Vital information:
- From June 15, 2027, public Certificates Authorities (CAs) inside Google Chrome’s root retailer will cease issuing TLS certificates containing each serverAuth and clientAuth EKUs.
- Certificates issued earlier than this date stay legitimate till their expiration, even past June 15, 2027.
- Cisco’s publicly accessible Trusted Root Retailer bundles will embody Root CAs wanted for clientAuth validation.
Certificates Authority (CA) and EKU Mapping for Cisco Providers
If Cisco prospects and companions are at the moment using the clientAuth EKU in certificates, then it is vital to confirm that the belief retailer consists of Root CAs that may proceed to incorporate the clientAuth EKU.
Cisco manages its personal publicly accessible Trusted Root Retailer bundles tailor-made for varied sorts of providers. These bundles embody the required Root CAs to validate certificates utilized in Cisco providers, making certain safe mutual authentication whereas aligning with browser root retailer insurance policies.
Click on right here for extra data on Cisco’s Trusted Root Shops
Utilizing IdenTrust and Digicert as examples, you possibly can see how the business is shifting from utilizing the “IdenTrust Industrial Root CA 1” and “Digicert International Root G2” in the direction of completely different Root and Issuing/Sub CAs. It is because the aforementioned Root CAs will stay within the Google Chrome root shops, the place they’re not allowed to problem certificates that include the clientAuth EKU.
| Resolution | EKU Sort | Root CA | Issuing/Sub CA |
| IdenTrust | clientAuth | IdenTrust Public Sector Root CA 1* | TrustID RSA ClientAuth CA 2 |
| IdenTrust | clientAuth + serverAuth | IdenTrust Public Sector Root CA 1* | IdenTrust Public Sector Server CA 1 |
| IdenTrust | serverAuth (browser trusted) | IdenTrust Industrial Root CA 1 | HydrantID Server CA O1 |
| DigiCert | clientAuth | DigiCert Assured ID Root G2* | DigiCert Assured ID Consumer CA G2 |
| DigiCert | clientAuth + serverAuth | DigiCert Assured ID Root G2* | DigiCert Assured ID CA G2 |
| DigiCert | serverAuth (browser trusted) | DigiCert International Root G2 | DigiCert International G2 TLS RSA SHA256 |
This instance illustrates the drive in the direction of new Root CAs for clientAuth wants and the significance of verifying that your providers belief them with the intention to efficiently make TLS connections.
Notice: The above Root CAs are all included in Cisco’s Trusted Root Retailer bundles.
For extra particulars, see Cisco’s trusted root retailer bundles:
Cisco Trusted Root Retailer Bundles Readme
Understanding Belief Shops and Their Significance
A belief retailer is a group of trusted Root CA certificates that your methods use to validate TLS certificates. To keep away from disruptions:
- Guarantee your methods’ belief shops embody the proper Root CAs like these listed above.
- Recurrently replace belief shops to align with Cisco’s publicly out there bundles.
- Lacking or outdated Root CAs in belief shops may cause certificates validation failures.
How one can Confirm What Is in Your Belief Retailer
Normal Verification Steps
- Determine the belief retailer location utilized by your system or software.
- Use instruments reminiscent of Keytool (Java), OpenSSL, or platform-specific utilities to record certificates within the belief retailer.
- Verify that the new Root CAs you’ll make the most of for clientAuth wants (e.g., IdenTrust Public Sector Root CA 1, DigiCert Assured ID Root G2) are current.
How one can Guarantee You Are Not Impacted
- Audit Your Present Certificates and Belief Shops
Stock all public TLS certificates, particularly these used for mTLS, and confirm the EKUs they include. Verify that your belief shops embody the proper Root CAs. Contact your Certificates Authority companion (Digicert, IdenTrust, Sectigo, and so forth) to make sure you perceive which Root CA to belief for clientAuth. - Replace Belief Shops Recurrently
Align your belief shops with Cisco’s publicly out there trusted root retailer bundles. - Add Lacking Root CAs to Belief Shops
If a required Root CA is lacking, import it into your belief retailer. - Coordinate with Companions
Talk with exterior companions to make sure their certificates and belief shops adjust to the brand new requirements. - Monitor Browser and CA Coverage Modifications
Keep knowledgeable about browser insurance policies (e.g., Google Chrome) that implement these modifications and web site of your chosen Certificates Authority companion. - Take a look at
Using new CAs requires testing on each the Server and Consumer sides to make sure the brand new certificates are trusted.
By auditing your certificates and belief shops now and aligning with Cisco’s trusted root retailer bundles, you possibly can guarantee your Cisco providers and gear proceed to function securely and with out interruption. We encourage impacted organizations to overview their present certificates utilization and start planning their migration properly forward of the deadlines.
Reference Doc Hyperlinks:
- CUCM Certificates Administration and Change Notification – Cisco
- Safety Information for Cisco Unified Communications Supervisor, Launch 15 and SUs – Default Safety
- Safe Community Analytics SSL/TLS Certificates Information for Managed Home equipment v7.5.3
We’d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
