It depends on how you renew the certificate. As we typically pin against the public key of the certificate, as long as the new certificates use the same private key then this value remains the same, and so from an app point of view, you wouldn’t need to worry.

However, if the private key is changing then so do the pins stored in your app. Pinning against an intermediate certificate can alleviate against this assuming your new certificate will be created using the same certificate authority. Of course if you build your new certificate in advance you could have pins for this in an earlier app update before you assign the new certificate to your server — obviously, this requires some planning and systems like AWS automate the certificate creation process making this significantly harder to achieve.

Certificate pinning is incredibly hard to get right, and the consequences of getting it wrong mean can stop your app from working until you’re able to push out an app update.

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.