Is it possible to renew a certificate using the X1 intermediate certificate?

rafelbev · April 3, 2016, 3:14pm

We have a certificate in use by a mobile app client to communicate to our service API. Our app is implementing SSL pinning against the fingerprint of the X1 intermediate certificate. Although the X3 certificate was created using the same private key, the fingerprint has still changed.

We have recently issued a renewal for the certificate but had to revert since the SSL pinning was not accepting the new X3 certificate. We do not require at all Windows XP support as this certificate is only used on mobile phones. Would it be possible to add an option to the client to renew the certificate against the X1 certificate?

Osiris · April 3, 2016, 3:27pm

Unfortunately, no:

jsha · April 3, 2016, 4:18pm

Sorry, no. If you’re implementing key pinning in your app, I recommend (a) you use the standard HPKP techniques, and (b) you follow the HPKP best practices described here.

If you’re pinning based on the hash of SubjectPublicKeyInfo, as HPKP does, you shouldn’t have any problem, since the SubjectPublicKeyInfo stayed the same. But it sounds from your message as if you are pinning based on the hash of the whole intermediate certificate.

system · May 3, 2016, 4:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.