In the previous article “.NET Certificate Pinning: A Practical Guide“, we implemented simple certificate pinning in a command line .NET application. You went and implemented it in your app. You tested it and it worked perfectly.

Fast forward a few months and your users cannot connect. You haven’t changed the code for ages. So you check your API and it works fine, but your app not so much.

The problem: certificate rotation. Something completely outside your control, that managed to break your application. Most likely in the most awkward way and at the least desirable or expected time.

What is certificate rotation?

Certificate rotation is a process of replacing existing certificate with new ones. Certificates require rotation due to following reasons:

  • certificate is bound to expire (some more often than others and yes, I am looking at you Let’s Encrypt),
  • certificate has been revoked,
  • there is a need for improved algorithm or
  • domain changes.

Expiration you can plan for. Other rotations are silent, unpredictable. And by the time you notice, users have already noticed it. By then, it is too late.

Why my app breaks?

Certificate pinning is based on certificate public key, hash, trust chain or other metadata. When certificate changes, some data (if not all) changes as well, causing the failure. Certificate hash and public key change with each new certificate. Trust chain changes less frequently, but pinning only the chain is insecure and weak. And that defeats the purpose of certificate pinning.

What can I do to avoid downtime?

As mentioned, the easiest thing to do is to set up expiration reminders. That can be easily done via a calendar.

Some certificate authorities (CA) allow renewal with the same key pair. If you can control the server and configure this, the certificate’s public key will remain unchanged. But by default, many renewals generate a new key. Still, pinning Subject Public Key Info (or SPKI) can be a decent solution. SPKI is the part of the certificate that contains the actual public key and its algorithm. Pinning this survives renewal, if the key pair stays the same.

Also, implement backup pins. Keep at least two: the current certificate and the backup. You can use your CA root or intermediate certificate for this. When rotation happens, your application still trusts the backup while you update the primary certificate. You will need to refresh the list over time, but users will not experience downtime.

This is exactly why I am building CertWatch. The app tracks your certificates and alerts you 90/60/30/14/7/1 days before expiry or immediately on unexpected rotation event, notifying you before your users do. The alert includes the new public key so you can update your pinned app before they break.

Conclusion

Certificate pinning makes your app more secure, but without handling rotation, it makes your app brittle and prone to unexpected outages. Pin SPKI, keep backups and set reminders. Do that and you won’t be waking up to a bunch of angry emails and calls in distress.