Hello, please add my account to the allowlist for the "tlsclient" ACME
profile (which retains the TLS Client Authentication EKU).
Account ID: 3389924466
ACME endpoint: acme-v02.api.letsencrypt.org (production)
Use case: Microsoft Teams Direct Routing SBC. As of June 2026 Microsoft
requires the SBC client certificate to carry the clientAuth EKU for the
mutual-TLS SIP interface. The classic profile no longer issues it, which
broke inbound PSTN→Teams calls. We need the tlsclient profile to restore
the mTLS trunk.
The tlsclient profile is only available to ACME accounts which used it prior to May 14, and even that limited access will be going away next month. If you need a TLS Client EKU, you need to use some other CA, and probably in most cases your own private one would be best.
And I know next to nothing about Microsoft Teams Direct Routing, but a quick web search brought me this article that makes it look like their server doesn't care whether you're using a Client Auth certificate or not.
Microsoft SIP endpoints currently trust SBC certificates that do not include the Client Authentication Extended Key Usage (EKU). This behavior is expected to continue for the foreseeable future. If this requirement changes in the future, Microsoft will communicate it in advance.
Further down that article there are older entries that mention a June deadline (Update on upcoming certificate changes (December 12, 2025)). However this appears to describe changes MS is making to the certificates on their side of the connection. You'll have to make sure your system will trust these certificates.
Under this heading it also says:
[...] In the future, Microsoft will require all SBC certificates to include the Client Authentication EKU. At that time, a list of publicly trusted CAs capable of issuing such certificates will become available. [...]
So unless Microsoft told you that you have to change the certificates you use (not that ones you'll accept), you should be OK to continue with Let's Encrypt's certificates without clientAuth EKU until such an announcement is made.
Once you need to switch Let's Encrypt won't be an option.