Public key pinning...backup keys
mayerlench opened this issue · 2 comments
I'm working on public key pinning for my nativescript app and I came across this wonderful repo. Its pretty difficult to find straightforward information on public-key pinning and good instructions on how to do it
A few questions I have which maybe you can answer
For example, if you pin to the public key of your server's certificate, you should generate a backup key that is stored somewhere safe
- What type of key should be generated as a backup, another private key?
- How does this help user lockout from the app? is it because the private key doesnt change any of the SubjectPublicKeyInfo in the SSL certificate?
We currently have an API with certificates that change every 90 days from the same CA(lets encrypt). We don't want to have to release a new app every 90 days which will most likely cause user lockout.
We are trying to avoid this issue by pinning the public key but im failing to understand the backup keys process
I don't know a whole lot about it either, and I also don't use it myself. But I'm going to try to answer your questions:
What type of key should be generated as a backup, another private key?
Yes, another private key that you can use to request a certificate with in case something happens to the first one, a leak for example.
How does this help user lockout from the app? is it because the private key doesnt change any of the SubjectPublicKeyInfo in the SSL certificate?
As far as I understand, yes.
We currently have an API with certificates that change every 90 days from the same CA(lets encrypt). We don't want to have to release a new app every 90 days which will most likely cause user lockout.
Reading this article: https://community.letsencrypt.org/t/how-to-use-ssl-from-lets-encrypt-for-ssl-pinning-in-mobile-app/135720/13
It looks like LetsEncrypt also creates a new private key every time, which breaks certificate pinning, unless the option --reuse-key is given.
Sorry I can't be of more help. My take of SSL pinning is that if you aren't completely sure that you're doing it right, you shouldn't do it.
That makes sense. Thanks for the clarification was huge help