1

We have the following situation and need an advice, since nobody ha a previous experience with pinned mobile applications.

  1. We have one wildcard SSL certificate for the domain, maintained at Azure - *.example.com
  2. There are multiple endpoints that the cert had been applied to, including the the one that is used by mobile application.
  3. Mobile application has this certificate pinned.
  4. The cert will expire in about 45 days.

What will be the best course of actions to renew the certificate, with ideally no downtime, or minimal downtime for mobile and other applications?

If we renew the cert, we need to push an update for a mobile application to the store with it. It will take some time to get approved by the store and during that time the application will not be able to communicate with the backend, if we'll go straight forward.

So, we need an advice from those with such experience, please.

Thanks for your help in advance.

mikosha
  • 11
  • 1

1 Answers1

0

The only reliable solution will be:

  1. acquire new certificate now (in advance), get its details (thumbpring, public key, whatever else properties you use for pinning)
  2. make mobile application (external endpoint) update to trust existing and newly acquired certificate.
  3. push update to appropriate stores (where clients can get new version of mobile application)
  4. wait until current certificate expires and hope that all clients have updated their application
  5. switch web app to new certificate.

that is, certificate replacement must be obtained in advance to get its details, make updates, have time to propagate updates and only then change certificate on front end.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • just one question : how to make mobile application (external endpoint) update to trust existing and newly acquired certificate? – mikosha Apr 02 '18 at 15:46
  • Just patch the application (I suspect, you own the application) and push updated version in store. – Crypt32 Apr 02 '18 at 17:03