Contact sales Start for free
Contact sales Start for free
An icon of a right arrow Back

TLS certificates | Feb. 19, 2026

Changes to Public Certificate Authority EKU for SIP over TLS

Starting May 1, 2026, Twilio’s public Certificate Authority will no longer include the Client Authentication Extended Key Usage (EKU) extension in the security certificates they issue.

Twilio plans to rotate our certificates on or after August 1, 2026. Depending on security needs, we may need to rotate the certificate sooner without notice. When Twilio rotates its certificates, the new certificates won't contain this extension.

This change affects any customer who uses SIP over TLS with Twilio, requires mutual TLS (mTLS) on their SIP servers, and strictly validates the Client Authentication EKU. Any new outbound TLS connection from Twilio to a customer's SIP servers is affected, including subsequent signaling messages (like BYE) on customer-initiated calls.

What customers need to do

Customers should review their SIP equipment configuration to check if they require the Client Authentication EKU during mTLS handshakes. If so, customers need to update this configuration to remove this requirement before May 1, 2026.

Need a hand?

Check out these resources:

Elastic SIP trunking Developer Insights

Additional Resources

Blog

Read more about our latest product updates, product tutorials, and community projects.


Read the blog
Docs

See API reference documentation, quickstarts, SDKs, and multi-language code samples.

Read the docs
Events

Find upcoming events and join us virtually or in person to learn more about our products.


View events