0

If my company's server leaf certificate expires and they are creating new certificate with different new Public key as per CA and its policies.

enter image description here

Hence I can only pin certificate rather than public key or SPKI ?

Doing so i know i have to update the new certificate in app and push to users but it won't work for old version users. Any suggestions to avoid this problem?

jww
  • 97,681
  • 90
  • 411
  • 885
guhan0
  • 666
  • 6
  • 19
  • 1
    It is usually not required to use another public key if renewing a certificate. And public key pinning (instead of certificate pinning) should continue to work after renewing unless the public key was changed too. Apart from that your company might pre-create some public keys they will use in the future so that you can add these as acceptable to the application even if these keys are not in use yet. – Steffen Ullrich Feb 01 '18 at 10:33
  • Agree with @Steffen. You pin the public key and keep using the same public key unless it has been compromised. That includes using the same key for new signing requests. The security community has found key continuity has better security properties than key rotation. Your company should revisit their security policies. Also see Peter Gutmann's [Engineering Security](https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). You can also find an example of Public Key Pinning for iOS at [OWASP Public Key Pinning](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning). – jww Feb 01 '18 at 20:54
  • *"Hence I can only pin certificate rather than public key or SPKI..."* - You can't even pin the server's certificate because Comodo is going to issue a new one. "Certificate Equivalency" is determined by (among other things) the serial number. The serial number will change if Comodo issues the new certificate. Also see [RFC 4158, Internet X.509 Public Key Infrastructure: Certification Path Building](https://tools.ietf.org/html/rfc4158). – jww Feb 01 '18 at 20:57

0 Answers0