Genesys Cloud - Main

Genesys recently announced the removal of the Client Authentication Extended Key Usage (EKU) from BYOC Cloud SIP TLS X.509 certificates.  This discussion will be for sharing more information and allowing users to ask questions regarding this announcement. Client authentication EKU support removed from Genesys Cloud certificate

Public Certificate Authorities, such as DigiCert and Amazon Trust Services, which are used to sign BYOC Cloud SIP endpoints announced they are removing the Client Authentication EKU from issued X.509 certificates in alignment with Google Chrome's root program requirements. DigiCert Announcement

Genesys Cloud will be renewing the server certificates for the BYOC Cloud SIP endpoints the week of March 9, 2026, which will remove the Client Authentication EKU from those certificates.  Depending on the configuration of your remote SIP endpoints, this could cause disruption if not validated in advance.  

More details about BYOC Cloud TLS capabilities are listed on this page: TLS trunk transport protocol specification

Remote SIP Endpoints

In this discussion a "remote SIP endpoint" represents a device external from the Genesys platform that communicates with Genesys Cloud using BYOC Cloud with the SIP protocol.  This device is usually controlled and managed by telephony or network administrators or one of their partners, such as a carrier or service provider.  These devices are not controlled or managed within Genesys Cloud.

BYOC Cloud SIP Endpoints

In this discussion, a "BYOC Cloud SIP Endpoint" represents the public SIP endpoints for Genesys Cloud listed on this page: BYOC Cloud Public SIP IP Addresses.  These devices are controlled and managed by Genesys and there is no Genesys Cloud configuration required for this deprecation.  

GC External Trunk

In this discussion the "GC External Trunk" represents the Genesys Cloud SIP trunk configuration for the BYOC Cloud trunk.  This is the Genesys Cloud configuration where the details for the communication between the BYOC Cloud SIP Endpoints and the remote SIP endpoints is defined.  

Nothing needs to be changed in your Genesys Cloud configuration - the use of client authentication is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.  

Mutual TLS is initiated by the Server via a "Certificate Request" during the TLS handshake. 

Inbound Calls (Carrier or SBC to Genesys Cloud)

For inbound calls the BYOC SIP endpoints act as the Server and they never request client certificates, so there is no risk with this change for inbound.

Outbound Calls  (Genesys Cloud to Carrier or SBC)

For outbound calls, the customer remote SIP endpoints act as the Server and they may request a client certificate, based on configuration, from the BYOC SIP endpoints and those endpoints would respond with their server certificate which currently includes the Client Authentication EKU. Because of this, customer endpoints could be incorrectly configured to initiate or require mutual TLS and satisfy that requirement with the certificate Genesys provides; however, that is not a valid form of authentication and does not provide any security improvements.

If customer endpoints are configured this way, they will continue to work for now, but when Genesys renews certificates after March 9, 2026 new certificates will not include this usage and although these endpoints will continue to provide a response in the TLS handshake, the server certificate will no longer contain the client authentication EKU and those connections may be rejected by the remote SIP endpoints. Customers should ensure that they are not configured for client authentication or mutual TLS. 

How to determine the if Client Authentication is being used

The best way to review the TLS handshake is to review a packet capture of the SIP communication.  Although with TLS trunks the SIP communication will be encrypted and not visible in the capture, the TLS handshake process provides details that can be derived from the capture.  It is important to look at outbound calls specifically.

Identify if a "Certificate Request" message exists, which could be requested with other messages, such as highlighted below.  The presence of the "Certificate Request" message is an indication that the remote SIP endpoint is configured to attempt mutual TLS.  In this example, the Server provides its Server certificate with the Client Authentication EKU, and the Client validates the certificate and uses it as a valid client certificate.  

#Telephony

------------------------------
Phil Whitener
Genesys - Employees
------------------------------

Thank you for this thorough write up Phil!

------------------------------
Jason Kleitz
Online Community Manager/Moderator
------------------------------

Original Message:
Sent: 01-05-2026 09:23
From: Phil Whitener
Subject: BYOC Cloud Client Authentication EKU Removal Announcement - 2026

Genesys recently announced the removal of the Client Authentication Extended Key Usage (EKU) from BYOC Cloud SIP TLS X.509 certificates.  This discussion will be for sharing more information and allowing users to ask questions regarding this announcement. Client authentication EKU support removed from Genesys Cloud certificate

Public Certificate Authorities, such as DigiCert and Amazon Trust Services, which are used to sign BYOC Cloud SIP endpoints announced they are removing the Client Authentication EKU from issued X.509 certificates in alignment with Google Chrome's root program requirements. DigiCert Announcement

Genesys Cloud will be renewing the server certificates for the BYOC Cloud SIP endpoints the week of March 9, 2026, which will remove the Client Authentication EKU from those certificates.  Depending on the configuration of your remote SIP endpoints, this could cause disruption if not validated in advance.  

More details about BYOC Cloud TLS capabilities are listed on this page: TLS trunk transport protocol specification

Remote SIP Endpoints

In this discussion a "remote SIP endpoint" represents a device external from the Genesys platform that communicates with Genesys Cloud using BYOC Cloud with the SIP protocol.  This device is usually controlled and managed by telephony or network administrators or one of their partners, such as a carrier or service provider.  These devices are not controlled or managed within Genesys Cloud.

BYOC Cloud SIP Endpoints

In this discussion, a "BYOC Cloud SIP Endpoint" represents the public SIP endpoints for Genesys Cloud listed on this page: BYOC Cloud Public SIP IP Addresses.  These devices are controlled and managed by Genesys and there is no Genesys Cloud configuration required for this deprecation.  

GC External Trunk

In this discussion the "GC External Trunk" represents the Genesys Cloud SIP trunk configuration for the BYOC Cloud trunk.  This is the Genesys Cloud configuration where the details for the communication between the BYOC Cloud SIP Endpoints and the remote SIP endpoints is defined.  

Nothing needs to be changed in your Genesys Cloud configuration - the use of client authentication is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.  

Mutual TLS is initiated by the Server via a "Certificate Request" during the TLS handshake. 

Inbound Calls (Carrier or SBC to Genesys Cloud)

For inbound calls the BYOC SIP endpoints act as the Server and they never request client certificates, so there is no risk with this change for inbound.

Outbound Calls  (Genesys Cloud to Carrier or SBC)

For outbound calls, the customer remote SIP endpoints act as the Server and they may request a client certificate, based on configuration, from the BYOC SIP endpoints and those endpoints would respond with their server certificate which currently includes the Client Authentication EKU. Because of this, customer endpoints could be incorrectly configured to initiate or require mutual TLS and satisfy that requirement with the certificate Genesys provides; however, that is not a valid form of authentication and does not provide any security improvements.

If customer endpoints are configured this way, they will continue to work for now, but when Genesys renews certificates after March 9, 2026 new certificates will not include this usage and although these endpoints will continue to provide a response in the TLS handshake, the server certificate will no longer contain the client authentication EKU and those connections may be rejected by the remote SIP endpoints. Customers should ensure that they are not configured for client authentication or mutual TLS. 

How to determine the if Client Authentication is being used

The best way to review the TLS handshake is to review a packet capture of the SIP communication.  Although with TLS trunks the SIP communication will be encrypted and not visible in the capture, the TLS handshake process provides details that can be derived from the capture.  It is important to look at outbound calls specifically.

Identify if a "Certificate Request" message exists, which could be requested with other messages, such as highlighted below.  The presence of the "Certificate Request" message is an indication that the remote SIP endpoint is configured to attempt mutual TLS.  In this example, the Server provides its Server certificate with the Client Authentication EKU, and the Client validates the certificate and uses it as a valid client certificate.  

What to expect after the Client Authentication EKU is removed

In another example, where the Server certificate does not contain the Client Authentication EKU, the same request fails.  The remote SIP endpoint still makes the Certificate Request and the Server still provides its own Server certificate, however, since the Server certificate does not contain the Client Authentication EKU, the remote SIP endpoint rejects the certificate with an "Unsupported Certificate" error and closes the connection.  In this case an Outbound Call would fail.  

How to Remediate to avoid issues before the certificate renewal

If inspecting the TLS handshake for an outbound call SIP connection reveals the presence of the "Certificate Request" message sent from your endpoint, remediation is required.  Your remote SIP endpoint is configured for client authentication or mutual TLS and that must be disabled to avoid issue before the BYOC Cloud server certificates are renewed.  Review your device configuration or consult your device vendor or carrier to correct this configuration.  

From previous experience we anticipate that Cisco CUBE devices enable mutual TLS requests by default, but are not aware if they "attempt" mutual TLS or "require" mutual TLS, so we cannot say how impactful this change will be.  

Testing connections without Client Authentication EKU

BYOC Cloud recently launched the Dynamic Cloud Voice Platform to Limited Availability.  This is a new set of BYOC Cloud SIP endpoints, that among other changes use new certificates from Amazon Trust Servers and do not contain the Client Authentication EKU.  Creating a new SIP trunk using the Dynamic Cloud Voice Platform would allow you to build a new BYOC Cloud trunk without impact to your existing trunks and test connectivity from your existing remote SIP endpoint to BYOC Cloud SIP endpoints that have Server certificates that do not have Client Authentication EKU.
https://help.mypurecloud.com/articles/enable-the-dynamic-cloud-voice-platform/

Please leave a message on this post if additional clarification is requested. 

#Telephony

------------------------------
Phil Whitener
Genesys - Employees
------------------------------