We are currently looking into enabling HTTP Public Key Pinning on our website. The problem we are currently facing is that our certificates last only 90 days, but we have devised the following steps to resolve this issue:
- We will initially have four certificates issued (2 RSA and 2 ECC, one of each is from a different CA than the other. I'll call the CA's "A" and "B").
- Every three weeks we will have a new set of RSA and ECC certificates issued. The first time (three weeks after enabling the HPKP header) this will be from CA "A", three weeks later from "B", then "A" again, etc. Only the oldest non-expired certificate pair will be used, but the newer ones are pinned for future use.
- The
max-agewill be 5184000 seconds or 2 months.
Extra info:
- Again, due to the way our CA's are set up the certificates will only last 90 days before expiring.
- We don't want to pin the CA's root or intermediary certificates as we want to use HPKP to prevent potential hijackers of our domain or DNS from being able to quickly issue a new certificate. If we could do this, we would instead use DNS CAA as that would be a lot easier in our situation.
This way, we will always be serving at least two previously pinned certificate pairs, each from a different CA, as per the specification.
However, at some point we will have 8 pinned certificates (2 RSA and 2 ECC from each of the two CA's). This is a lot more than I have ever encountered, so my questions are:
Can browsers handle 8 pinned certificates? What is the limit (if any) to the amount of certificates that can be pinned?
