How do you update expired ssl certificates if ssl pinning is used on ios apps? It seems like only an app update would enable updating the certificate but then users who don't update the app will not receive this update.
The key is to understand the possible values for AFSecurityPolicy's pinningMode.
AFSSLPinningModeCertificate means that the certificate provided by the server must match exactly one of the pinned certificates, which by default are the certificates in your app bundle. This is the mode you are currently using.
AFSSLPinningModePublicKey means that the certificate provided by the server must contain the same public key as one of the certificates pinned by your app.
If you use AFSSLPinningModePublicKey and renew (update) your server certificate with the same keypair, your iOS app will continue to work without modification.
To address the second part of the question, yes users with old versions will be locked out.
To lower the impact, a common strategy is to include the new certificate alongside the soon to be expired certificate. This gives users a few 'buffer' versions they can be on and still have access after the changeover.
来源:https://stackoverflow.com/questions/22055153/afnetworking-ssl-pinning-expired-certificates