Unfortunately, there is no easy answer, and clearly, the consequences of getting it wrong mean your users cannot use your app. Choosing to enable certificate pinning is not a decision that can be taken lightly and not one that is easy to recommend for the majority of apps.
It is incredibly hard to know what the right certificate to pin against without knowing more about how you go about creating your certificates, for example:
- How frequently do you change the private key of your certificates? i.e. does it make sense to pin against the leaf cert?
- Do you plan on changing certificate authorities? i.e. does it make sense to pin against an intermediate or root cert?
- How many different certificates do you have? Some apps I’ve worked on use maybe 4–5 systems with different certificates.
- Who controls the renewal of certificates? Cloud providers such as AWS often handle certificate generation for you giving you far less control.