Keep in mind that HTTP Public Key Pinning is now obsolete security mechanism: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
I would avoid its use at all.
Certificate Pinning
Hi, I have a question regarding certificate pinning.
I would like to understand what is certificate pinning and how does it works with regards of us hosting our services in IIS.
Usually, we create a CSR from IIS and send it to a public trusted CA such as GlobalSign to sign on it and return it to us to complete the CSR request at the server that issued the certificate. Is the certificate pinning included within this process?
Thanks for anyone who's here to help.
Windows development | Internet Information Services
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
Vadims Podāns 9,186 Reputation points MVP
2022-12-09T08:02:45.503+00:00 -
Yurong Dai-MSFT 2,846 Reputation points Microsoft External Staff
2022-12-12T05:14:54.117+00:00 What is certificate pinning?
Certificate pinning restricts which certificates are considered valid for a particular website, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice. Clients connecting to that server will treat all other certificates as invalid and refuse to make an HTTPS connection.Pinning allows websites to control the risk of misissuance, CA compromise, or man-in-the-middle attacks. Pinning takes multiple forms depending on the use case - I can pin my certificate as the only one in my client trust store or write the public key hash into my code so only my key is trusted. When pinning started becoming popular, the hope was that these extra layers of complexity made it harder for bad actors to use certificates in attacks or spoofs.
How Does certificate Pinning Work?
Certificate pinning is merely the process of correlating a host, from which connections will be sought, with the predesignated certificate or the server's public key that conforms to IETF X.509 cryptography standards. Once that association has been established between host and certificate, the relationship between the two is formalized, pinning that certificate to that host. A secure connection with a client or API call is approved only in instances where the offered certificate exists within that set of pinned certificates.Most often the approved, or pinned, certificate is embedded within an application during the development process. Pinning during development adds a layer of security by making it more difficult for a would-be attacker to compromise the pin. But, they can also be added when an application first attempts to connect — a process known as key continuity. The utilization of key continuity, however, comes with the price of increased risk exposure through attacks that can occur during the initial connection attempt between host and application.
Pinning assumes and utilizes a relationship between client and host that has been both pre-defined and pre-established, with proper protocols and parameters known and accepted by all legitimate participants. This eliminates the necessity of depending upon constant pings to organizational elements — to CAs, for example, for continuous updates about certificate status.
While certificate pinning can enhance security, it also has many problems. This approach exposed organizations to costly certificate management challenges and a potentially poor user experience, and the web community quickly learned that pinning was not a good idea.
Some of the common problems that this technology may face are: resolution of compromised keys, lack of cryptographic agility, a series of problems caused by revoked certificates. Using certificate pinning is extremely risky and error-prone. If you configure pinning incorrectly, you could block access to your own website or break connections in your applications with limited options for recourse. The biggest problem fixed is that you lose the ability to respond to certificate issues. If for any reason you need to change keys, certificates, issuers, or your CA vendor, you'll have to fix your clients, browsers, code, IoT devices, etc.
In conclusion, it is recommended that you do not use pinning, the complexity and consequences outweigh the benefits.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.Best regards,
Yurong Dai