This article clarifies the purpose of certificate pinning to help administrators assess the impact of Secure Sockets Layer (SSL) certificate rotation. It describes how this technique works in the context of receiving notifications about certificate renewals.
- Administrator emails
- Certificate pinning
- SSL certificate rotation
- Custom applications
NOTE: While certificate pinning was once a recommended security practice to prevent unauthorized certificate issuance, it has become a legacy technique that often does more harm than good. In the modern Public Key Infrastructure (PKI) ecosystem, pinning is universally discouraged due to its high risk of service disruption and incompatibility with current security standards.
Certificate pinning associates a host with its expected public key. These implementations aim to prevent man-in-the-middle attacks, and they are mostly found in custom applications.
Certificate pinning can help by telling the client exactly what certificate to expect. It looks for a specific fingerprint in a certificate and, if it does not find it, it will refuse to connect to the server. This enables organizations to manage and verify the relationship between the server and the endpoint directly.
Typically, certificate pinning is used for custom-developed applications where the pin is embedded in the code. To determine if this technique is in use, follow these steps:
- Contact the team responsible for creating the applications.
- Confirm whether pinning was implemented in the application code.
- If pinning is in use, refer to the Okta PKI repository to obtain the latest certificates.
If custom-built applications are not in use, certificate pinning is likely not present, and certificate renewals should have no impact.
