Does the thumbprint change every 3 months?

wanting to use the service but need to know if the thumbprint will change every 3 month, as we have to build that into an app, this would mean having to redo the app every 3 months too

  • The certificate will change at least every 3 month (So, it’s checksum will change)
  • The public key may stays the same if you ask for the same.

May I ask why do you need to do certificate (or key pinning) in your application?

1 Like

we use key pinning to reduce security threat as identified during our pen test

Pinning in the web browser ecosystem (HPKP) has largely fallen out of favour. If you have an alternative environment where pinning makes sense I strongly encourage you to pin to the public key of the active LE intermediate certificate (and a backup). Pinning the public key of the leaf certificate is very risky.

1 Like
  1. any chromium based browesers (chrome, safari, new version of edge, most of android browsers) ignores HPKP header form sites
  2. if you use certbot, keep mind certbot does not renew certs issued with -csr option, that need to fix a public key

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.