Skip navigation

Duo Trusted Endpoints Certificate Migration Guide

Last Updated: June 7th, 2022

Beginning August 25, 2022, Duo integrations that use certificates to verify device trust as part of our Trusted Endpoints feature will reach end-of-life status. Certificate-based verification will stop working by September 1, 2022.


When Duo introduced Trusted Endpoints it relied on the presence of a certificate issued by Duo on endpoints accessing protected services. We have moved away from device certificates to alternative methods of identifying trusted devices that leverage Duo Mobile on Android and iOS devices, or Duo Device Health on Windows and macOS computers. This strategy provides the following benefits:

  • Reduced administrative tasks: Using the Device Health app for Trusted Endpoints eliminates the work associated with managing certificate infrastructure and renewals.

  • Consistent and reliable experience: Get a more reliable Trusted Endpoints experience across a variety of web browsers and thick client applications by using the Device Health app instead of certificates to report endpoint characteristics to Duo. Mobile device users will also receive a more uniform experience across iOS and Android when you migrate to an integration that uses Duo Mobile for trust in place of certificates.

  • Expanded browser support: Duo Device Health app supports authentications in all major browsers, including Firefox. Duo device certificate detection does not support Firefox.

  • Improvements for shared endpoints: With certificate-based management integrations, device certificates are associated with users rather than devices, preventing detection of the endpoint as a trusted device when shared by multiple people.

End-of-Life Information

As part of the shift away from certificates for identifying trusted endpoints we will end support for management integrations based on issuing Duo Device Trust certificates. This change will deploy as part of the product deployment cycle beginning on August 25, 2022 and ending September 1, 2022.

To prepare for this end-of-life milestone, you must transition your existing integrations to use the Duo Device Health application for desktop or Duo Mobile for mobile device verification prior to August 25, 2022. Some Trusted Endpoints integrations are ready to migrate to replacement solutions now while other integrations are in development. See the Device Trust Solution Availability section for details.

If your organization cannot migrate away from Duo's certificate-based trust solutions before August 25, 2022 please submit this extension request form as soon as possible! Although Duo is unable to guarantee an extension, our product team will follow up with you to learn more about your needs.

Device Trust Solution Availability

The following replacement solutions are ready, and we recommend you begin your migration now:

Users of the following certificate-based management integrations with macOS and Windows endpoints should migrate to Generic Device Health integrations, where Duo Device Health matches an endpoint's device identifiers collected during authentication to trusted device identifiers you uploaded to Duo via the Device API.

Additional Resources

Please refer to these additional resources to plan your migration from certificate-based management integrations: