QRadar SOAR: Duo Security certificate pinning problem

Content

What happened?

On May 1, 2025, Duo Security updated their CA pinning certificate bundle to align with new standards being implemented by Google Chrome and Mozilla Firefox.
Reference: https://github.com/duosecurity/duo_universal_java/releases/tag/1.3.1

According to Duo’s advisory:
https://help.duo.com/s/article/9451?language=en_US

• Starting April 15, 2026, Chrome and Firefox will distrust the DigiCert certificates currently used in Duo’s CA pinning bundle.
• This is an out-of-band distrust event, meaning it occurs outside the normal certificate expiration cycle.
• All Duo products using certificate pinning are affected.
• Duo has released updated versions of all impacted products containing new root certificates with more diverse and redundant certificate authorities to prevent future disruptions.

Key Dates

• Soft Cut‑Over: After February 2, 2026, older Duo versions using the expiring bundle may begin failing authentication.
• Hard Cut‑Over: On March 31, 2026, unsupported versions will stop working entirely.

What happens if you don’t take action?

From Duo’s advisory:
https://help.duo.com/s/article/9451?language=en_US

If customers do not upgrade:

• Users may stop receiving Duo Push notifications or fail authentication.
• Server integrations may no longer connect to Duo APIs.
• Legacy integrations may break completely after March 31, 2026.

How to check if you are affected

You can verify impacted applications by reviewing the Unsupported Client Log in Duo’s Admin Dashboard:
https://duo.com/docs/administration-reporting#unsupported-clients-log

Navigate to:
Reports → Unsupported Clients Log

This dashboard lists any applications using unsupported Duo client versions.

Identifying the SOAR Integration

• If the affected application shows Duo API Python under Client Application Name, the customer is likely using the Cisco Duo Beyond app from the App Exchange. You can confirm this by looking at the Administration Settings in SOAR under Apps section and seeing if Cisco Duo Beyond app is installed.
• If it shows duo_universal_java and there is no app installed in SOAR, the customer is using the built‑in Duo Two‑Factor Authentication (not the App Exchange version).

If the customer only has Duo API Python in the unsupported clients and app installed in SOAR, the customer only needs to update the App Exchange app.

If the customer only has duo_universal_java in the unsupported clients and no app installed in SOAR, the customer needs to update the SOAR product.

If the customer has both Duo API python and duo_universal_java in the unsupported clients and app installed in SOAR, the customer must update both.

Workarounds

At this time, the only workaround for SOAR is to temporarily disable Two‑Factor Authentication and upgrade to the latest patched version of SOAR or App (depending on what has been installed) immediately.

This limitation exists because:

• SOAR uses the Duo Universal Java SDK, not the standalone Duo Java client.
• The SOAR product does not manage CA certificate pinning or certificate interactions directly.
• Because of this, the only valid resolution is to upgrade to a version that includes Duo’s updated SDK.

Delivery Plan

• A new version of the Cisco Duo Beyond App Exchange integration has been released:
  Version 1.0.1
  https://apps.xforce.ibmcloud.com/extension/63536df63aa78900c1f9c42153127031
• For the built‑in Duo integration, IBM is releasing a hotfix starting with:
  SOAR v51.0.5.2

Upgrade Requirements

• If you are on a version older than v51.0.5.2, you must upgrade your SOAR product to at least that version.
• If you are already on v51.0.5.2 or newer, you only need to install the patched Duo hotfix to avoid service disruption.