-2

My application implements SSLPining with leaf certificate. And it's about to expire.
I researched and got the answer:

Some time before the certificate expires, release a new version of your app with a replacement cert in the pin list, as well as the original cert

How can i add both replacement cert and original cert to my project?
I just need to add a new certificate with any name and Will Alamofire go through all the certificate files I declare and if any match will it allow the connection? Thanks

Nguyen Hoan
  • 1,583
  • 1
  • 11
  • 18
  • Is your cert issued by a "real" certificate authority? If so then, in your case, in my opinion, your next version of your app should get rid of pinning altogether and rely on the platform cert validation. While unique threat environments may demand a pinning solution, in general pinning requires at least some expertise to avoid the kind of pinning suicide that you're facing. If you don't have that expertise you shouldn't do it. For all the flaws in the Internet PKI it works well and there are mitigations for the flaws. – President James K. Polk Dec 26 '21 at 16:14

1 Answers1

1

Yes, that will work. Alamofire's PinnedCertificatesTrustEvaluator gathers all certificates from the main bundle by default and checks to see whether the certificate received is within that set. So as long as both certificates are within that set, either of them should work.

Jon Shier
  • 12,200
  • 3
  • 35
  • 37