SSL Pinning and certificate expiry

Question

This question relates to the use of SSL Pinning in a client app against a web api and certificate expiry.

Scenario:

I own example.co

Answer 1

Your application can store multiple certificates in its pin list. The procedure for changing the cert would then be:

• Some time before the certificate expires, release a new version of your app with a replacement cert in the pin list, as well as the original cert
• when the old certificate expires, replace it on the server - the app should then still work as the new cert will already be in the pin list
• Some time after the cert expires, release a new version of your app removing the old cert

Remember your users have to update the app before the old cert expires