Possibly stupid question here (this is not my domain), but what is the alternati... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nsteel on June 17, 2020 \| parent \| context \| favorite \| on: Understanding Certificate Pinning Possibly stupid question here (this is not my domain), but what is the alternative to pinning the client to use your leaf certs? If it's pinning to your root cert, then isn't that much more of a pain if/when you need to revoke what the client is using? Or is the correct alternative to pin "to one or multiple rsa public keys" as mentioned in the sibling comment?

elithrar on June 30, 2020 [–]

Late reply, but: if you really must pin (and you probably shouldn’t), pin to public keys, not the certs in the chain.

nsteel on June 30, 2020 | [–]

Thank you!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact