Certificate pinning and Let's Encrypt

Hello,

how do you support certificate pinning? We've enabled by request of our security department certificate pinning for authority X3 and X4. Suddenly tons of users are reporting issues, now I see you have switched to R3 and there will be R4 at some time.

Is there any channel we can subscribe to get the notification ahead of time?

On your page ( https://letsencrypt.org/certificates/ )I see upcoming, but it does not says when from.

Thank you

1 Like

Hi,
as intermediates can change at any time without notice.

updates are posted in that forum:

eg. Beginning Issuance from R3

X4 was an backup intermediate for X3 and never signed any request.
R4 is the new backup for R3

in a few weeks/month E1 will be used for EC certificates with E2 as a backup.

not sure pinning ISRG Root X1, ISRG Root X2 could be better.

2 Likes

If you pin an intermediate, you should always pin the backup and possible future intermediates. And a different CA as backup.

The link to the API announcements section is mentioned in the LE integration guide, one of the LE documentations.

If you "subscribe" to the forum, you will be sent emails when LetsEncrypt staff make a new posting there. Only LE staff can post there. It essentially functions as an announcement list.

2 Likes

Hi @stereoit

certificate pinning is always only a client side decision.

So it's completely CA independend.

A CA can't support certificate pinning. And can't block it.

So please check your idea what certificate pinning is.

May be it's a good idea to remove it. Such errors should never happen -> client side misconfiguration.

Hi, I think I understand how it works, you select the CA on the client side. But the CA is changing, if you do not update your client (we have mobile app) before this happens, then you have a problem (like we do now).

That is why I asked how si Let'sEncrypt supporting certificate pinning (like having notification channels to which we can subscribe, or having scheduled changes).

But I do have now better understanding how to deal with that.

Short version: please don't pin intermediates. Intermediates are subject to change without notice. We of course try to give all of the notice we can, such as via posts in the API Announcements section of this forum, but we cannot guarantee that such an announcement will come with enough warning for you to do anything about it (such as in the case of having to switch to our emergency backup intermediates).

If you want your clients to pin a certificate, they should pin ISRG Root X1. (In the future, pinning ISRG Root X2 will also be a good idea if you intend to use ECDSA keys in your certificates, but ISRG Root X2 is not yet included in any root programs so you don't want or need to pin it yet.)

2 Likes