Answer

To ensure security, flexibility, and minimal maintenance effort, we recommend the following:
 

1. Trust the Let’s Encrypt CA
   Include Let’s Encrypt Root and Intermediate Certificates in your trusted certificate chain instead of pinning the server certificate.. Specifically:

   • ISRG Root X1 (Root Certificate)
   • Let’s Encrypt R3 (Intermediate Certificate)

   This method allows automatic server certificate renewals every 90 days via Let’s Encrypt. Check the latest certificate chain on their official website.

2. Set Up Certificate Transparency (CT) Log Monitoring
   Track all certificates for our domain via Certificate Transparency Logs to catch unauthorized issuances quickly. Use tools like crt.sh or the Google Certificate Transparency Log Viewer for effective monitoring.
3. Public Key Pinning (PKP) as a Fallback
   If certificate pinning is crucial, pin the public key of our Let’s Encrypt certificate instead of the full certificate. This offers flexibility during renewals as long as the public key stays the same. A backup key can be provided for added security in case of key rotation.

Additions hints

We understand that these solutions may require some collaboration and discussion to align with your specific requirements. To facilitate this please do not hesitate to contact us, we can connect you with one of our specialists to provide additional insights and work with your technical team to identify the best approach.