Context / Challenge

CAs are required to replace misissued TLS certificates (e.g. organization name exceeding 64 characters, short serial number, etc) in less than 5 days. Replacing a certificate usually means the CA to reissue the certificate with the same subject public key and corrected fields and revoke the previous certificate.

In this period, sysadmins have to replace the old certificate by the new one (no need to generate new key pairs and/or CSR as the public key is the same).

If an app is doing certificate pinning, it has also to be updated with the new certificate (the certificate and respective certificate fingerprint is different). Depending on the app store program and the test complexity, the release cycle may take over 1 week and the roll out to end users is a gradual and slow process.

Therefore, this 5-days window is nearly impossible to meet without significant outages if doing certificate pinning.

Solution
In order to avoid the need for new app releases whenever a TLS certificate is replaced, this library should also support public key pinning.

Instead of pinning the certificate fingerprint, one would pin the fingerprint of the Subject Public Key Info (SPKI). The SPKI is the binary structure (DER encoded) of the public key and is present in several files: PKCS#8 key file, CSR and certificate.

Here follows the OpenSSL commands to obtain the fingerprint:

# Get public key fingerprint from a PKCS#8 file with the key pair
openssl rsa -in mytls.key -passin pass:myStr0ngP@s§w0rd -pubout -outform DER | openssl dgst -sha256

# Get public key fingerprint from the CSR (PEM format)
openssl req -in mytls.csr -pubkey -noout | openssl rsa -pubin -outform DER | openssl dgst -sha256

# Get public key fingerprint from the certificate (PEM format)
openssl x509 -in mytls.cer -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256

Further references

• Why public key hashes, not certificate hashes?
• OWASP Pinning Cheat Sheet
• RFC 7469 §2.4 Semantics of Pins