LetsEncrypt Client Pinning

vcsjones · June 6, 2016, 1:54pm

I’m working on a Let’s Encrypt client, and have a question about pinning.

Would it be advisable to pin one of the certificates in the certificate chain for ACME itself, such as TrustID Server CA A52?

We’d like to pin a certificate for the Boulder server in our client, but if there is no reasonable assurance that the intermediate’s public key won’t change unannounced, we’ll have to skip the idea.

On a slightly related thought, it would be nice if LetsEncrypt advertised what public keys to pin, probably using the standard Public-Key-Pins HTTP header so that clients which want to pin against LetsEncrypt’s ACME CA, can.

jsha · June 7, 2016, 12:18am

I would strongly discourage you from pinning any certificates in your ACME client. As you’ve no doubt noticed, we don’t currently set an HPKP header, so we’re not committing to serve any particular certificate chain for the API.

Thanks,
Jacob

vcsjones · June 7, 2016, 1:56am

Jacob,

Thanks for clarifying. We won’t do pinning, hopefully one day it’s something that LE can do.

rugk · June 8, 2016, 5:31pm

Indeed, would be nice to have a HPKP header for the API. And LE clients should of course respect this header if possible.

system · July 8, 2016, 5:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Public Key Pins Header Feature Requests	2	2325	July 9, 2016
HPKP best practices if you choose to implement Server	20	42606	April 11, 2018
Certificate pinning and Let's Encrypt Help	7	2377	February 4, 2021
Project Proposal: Automating HTTP Public Key Pinning Feature Requests	1	1958	October 2, 2016
Official HPKP support from Let's Encrypt Feature Requests	19	9945	January 12, 2017

LetsEncrypt Client Pinning

Related topics