undefined | Better HN

0 pointsqmarchi1y ago0 comments

CYBS Engineer here.

We're already working on it. Keep an eye for merchant notifications if you use certificate pinning.

Now, back to rotating certificates....

0 comments

Maybe you (or anyone) could shed light on something for me?

I'm sure leaf certificate pinning is very common among your customers. Assuming that pinning is a manual process where customers decide to implicitly trust a specific cert, what's the point of using a third party CA for those customers all?

Does anybody self-sign or use a private CA on specific endpoints with longer certificate validity, and let the pinning customers use those?

Plasmoid1y ago

We have explicitly told customers not to pin our certificates and if they suffer downtime due to pinning it will not be considered a breach of our SLA.

We have one customer who has demonstrated enough competence with certificates that we create a private ca endpoint and let them use that. The private root lasts around 5 years, and they pin to that.

crazysim1y ago

Out of curiosity, is your organization planning to switch to Let's Encrypt or just another year long certificate provider?

It'll be interesting to see what, if any, organizations affected by this switch to: Stick with 1 YR certs or go to the future with free 90 days?

j / k navigate · click thread line to collapse