Ah yeah, certificate pinning is one of the use-cases that requires you to define what's effectively a local trust store, valid only for your application. You're absolutely right to not pin an intermediate: Not only does R3 expire, Let's Encrypt will also start issuing from randomized new intermediates soon. If you have to pin something, pinning the root is your best bet. You will need at least ISRG Root X1 for that. If you ever intend to issue an ECDSA certificate, ISRG Root X2 is recommended as well. And, as @petercooperjr already said, having some sort of backup certificate for emergencies is recommended, unless you can easily roll out software updates in an emergency already.
7 Likes