Views:

 

To ensure security, flexibility, and minimal maintenance effort, we recommend the following:
 

  1. Trust the Let’s Encrypt CA

Instead of pinning the server certificate, include the Root and Intermediate Certificates of Let’s Encrypt in your trusted certificate chain. Specifically:

  • ISRG Root X1 (Root Certificate)
  • Let’s Encrypt R3 (Intermediate Certificate) 
This approach ensures seamless renewals of our server certificate, which is automatically handled every 90 days by Let’s Encrypt. You can find the most recent certificate chain on the official Let’s Encrypt website.
  1. Set Up Certificate Transparency (CT) Log Monitoring
    Monitor all certificates issued for our domain through Certificate Transparency Logs. This enables you to detect any unauthorized certificate issuance and respond promptly if needed. Tools like crt.sh or the Google Certificate Transparency Log Viewer are excellent for this purpose.
  2. Public Key Pinning (PKP) as a Fallback
    If certificate pinning is essential for your use case, consider pinning the public key of our Let’s Encrypt certificate rather than the full certificate. This allows flexibility for certificate renewals as long as the public key remains the same. A backup key can also be provided for additional security if a key rotation becomes necessary.

 

We understand that these solutions may require some collaboration and discussion to align with your specific requirements. To facilitate this please do not hesitate to contact us, we can connect you with ome of our specialists to provide additional insights and work with your technical team to identify the best approach.
 

Keywords: FAQ, SSL Certificate, validity, PTV Developer
Related Products: PTV Developer