I need to clarify the purchase of a certificate to support an mTLS connection between Cisco Expressway-E and the Webex cloud (VIMT service).
Due to current changes in public CA policies, standard TLS certificates are no longer suitable. Please clarify the possibility of issuing a certificate with the following parameters:
Extended Key Usage (EKU): The certificate must include the "TLS Web Client Authentication" extension.
Identification (SAN): The certificate must support DNS SAN entry types. We need to include several of our server's FQDNs.
Product Profile: Which profile should be purchased and what is its price?
Validity Period: Are 1-year or 2-year plans available for this type of certificate?
Please clarify the cost of such a solution and confirm that if we provide a CSR with filled-out DNS SANs, your system will not "strip" them during issuance.
This is available, now, at zero cost, using the tlsclient profile. But it won't be for long, and at that point, it won't be available from Let's Encrypt at all, for any price.
Let's Encrypt can issue certificates with the TLS client authentication and TLS server authentication until May 13, 2026 using the tlsclient ACME profile, this requires using an ACME client such as certbot or lego.
The certificates can have up to 100 DNS names.
The tlsclient profile can be used until May 13, 2026 and is free.
The tlsclient profile certificates have a lifetime of 90 days.
Let's Encrypt do not charge for any certificates, however after May 13, 2026 Let's Encrypt will not issue any certificates with the TLS client authentication EKU.