Skip to main content

Duo Certificate Expiration FAQs

Take action by Feb. 2, 2026 

Duo's certificate authority (CA) bundle is expiring, impacting older Duo software versions. Campus system administrators and developers must update their Duo integrations, SDKs, and APIs to ensure continued functionality.

  • Review the FAQs below.
  • Visit Duo's help article: https://help.duo.com/s/article/9451 to find minimum software versions available for your applications and check your current software versions

Frequently Asked Questions

What’s the concern? 

When sysadmins install and configure Duo on their servers and applications, the installed software includes a Cisco-specific bundle of TLS certificates. Cisco is the parent company of Duo. These certs encrypt the communications with the Duo corporate infrastructure. The included root certificate in older versions of the software will expire February 2, 2026. Sysadmins and developers should ensure they’re using modern versions of Duo’s software and APIs, otherwise Duo functionality will fail on March 31, 2026. 

Does this affect Duo on my phone? 

Yes, it does. Fortunately, the Cisco Duo apps for mobile devices have included new certificate bundles in updates released since April, 2025. Normally, apps automatically update themselves, so this shouldn’t be an issue. Anyone who has unwisely disabled automatic app updates or tries to use an obsolete version of Duo on their devices will encounter MFA failures starting in the spring. When in doubt, visit the app store on your device and look for the official Duo Mobile app to check if updates are pending. 

Who needs to take action? 

System administrators have met the Minimum Security Standard for Servers by installing Duo for multifactor authentication (MFA) across hundreds of servers and applications. The most common use is to invoke MFA when people connect using ssh and RDP. 

Web developers may have used an official Duo SDK to build MFA into their web apps, content management systems, or used a Duo plug-in for platforms like Wordpress. 

Campus software developers making tools to automate Duo deployment functionality need to make sure their APIs are updated. Anyone still using obsolete versions after Duo’s cut-off time will encounter errors, lock-outs and frustrated users.

What about Stanford Web Authentication and VPN? 

The University IT administrators who manage the main campus single sign-on systems have already updated their software to accommodate the change. No interruptions are expected. 

What versions of the Duo software are affected? How do I check my own deployment? 

Cisco has published a document addressing this issue. It indicates the minimum compatible version; it also shows how to determine the version for any given type of deployment. 

What specific actions should Linux and Windows Server administrators take? 

Update Duo software on their systems. The Information Security Office recommends always using the latest version available from the Cisco Duo repositories for Linux and Unix-like systems, assuring common package managers like yum and apt can be used for patching. If installing from duo_unix source code, view the Duo GitHub project page. Windows sysadmins should download the latest software from the Duo website

What specific actions should developers take? 

Review the versions deployed in your project to check for compatibility. Duo’s GitHub site has libraries, SDKs and APIs for the public to inspect and use. Update as necessary and validate your code.

Last modified