0

i've an android app with ssl pinned it was working fine but after i've renewed the SSL now its throwing exception

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

  • does renewel of SSL supposed to be stop the existing app?
  • what can i do so the old app will work without releasing the new app with new SSL pinning?
  • The New renewed SSL dont have any chain issues as per SSL lab test
ɹɐqʞɐ zoɹǝɟ
  • 103
  • 1
  • 5

1 Answers1

3

does renewel of SSL supposed to be stop the existing app?

If you change the public key during renewal then breaking pinning is expected. If you keep the public key pinning should still work.

what can i do so the old app will work without releasing the new app with new SSL pinning?

If the public key changed you have to release a new app with updating pinning information. There is no workaround.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • hi thanks for the info, but our data center team (who renewed the ssls) saying that its not possible to keep same public key after renewal, is this true? how it can be done, we are using rapid ssl, does rapidssl have any option to keep same public key? or do we need to write openssl commands for that? please help us thankyou – ɹɐqʞɐ zoɹǝɟ Jun 08 '17 at 10:41
  • @ɹɐqʞɐzoɹǝɟ: The owner of the certificate creates the certificate signing request (CSR) which contains the public key. If one uses the same public key as in the old certificate in the new CSR the old key gets used in the new certificate too. So in theory there is no problem and certificate agencies support this. In practice your data center team might have employed some guidelines which forbid to do this but in this case these are your own restrictions. – Steffen Ullrich Jun 08 '17 at 11:14
  • thanks for the reply, do you know how can we generate csr with same public key please share openssl command if you know any, the datacenter people saying not possible :( thank you – ɹɐqʞɐ zoɹǝɟ Jun 08 '17 at 11:33
  • @ɹɐqʞɐzoɹǝɟ: When generating the CSR just take the same key file as you currently use with the old certificate instead of creating a new key file. The key file contains both private and public key. – Steffen Ullrich Jun 08 '17 at 11:52