Home > Software engineering >  Could certificate pinning work if one checks the intermediate certificate when the leaf certificate
Could certificate pinning work if one checks the intermediate certificate when the leaf certificate

Time:08-25

I have a scenario in mind where ; When the leaf certificate expires, the intermediate certificate is checked and if the intermediate is not expired, the application will keep running and will not be affected while the leaf is getting updated. Kinda like adding a condition to check the validity of the intermediate certificate in the step of checking the validity of the leaf certificate. Is something like this possible? If so, will there be any security problems with doing this?

CodePudding user response:

If so, will there be any security problems with doing this?

Most CAs won't entertain the notion of revoking an already expired certificate, because it's already the case that no one should be trusting it.

So your scheme, at minimum, reduces the ability to revoke certificates.

The notAfter date in a certificate isn't when the ops people/process should request a new certificate, it's when they need to have already completed the changeover. Making a complicated grace period will just change people who are already not doing it on time to not do it until beyond the grace period... they're clearly error-driven/alert-driven people.

  • Related