Sahbi Posted June 20, 2021 Share Posted June 20, 2021 To make the app server work you have to pin its certificate through the main Passwordstate service, which currently seems to use the certificate itself. I'm using Let's Encrypt for my certificates, so that means every few months I have to clear the pin, re-query for the new cert and tell all users to re-pair their apps. And even if you use "real" certs that have a validity period of a couple years, once that expires you'll have exactly the same problem. I propose that instead of generating some form of hash of the certificate, Passwordstate should use the SPKI fingerprint instead. As far as I know this is dependent on the private key, so as long as that doesn't change the output will be the same. This is how HTTP Public Key Pinning works as well, as to not to break all clients that have already cached the previous pin when the cert rotates. Many Let's Encrypt clients (or ACME in general) can be told to reuse an existing private key. Fabian Näf 1 Link to comment Share on other sites More sharing options...
Fabian Näf Posted September 10, 2021 Share Posted September 10, 2021 +1 Link to comment Share on other sites More sharing options...
support Posted September 10, 2021 Share Posted September 10, 2021 Hi Guys, Thanks for your request, but we will not be changing the behaviour for this. We have engaged with an external Cyber Security company for the development of the App Server, and they also recommended the current method we implemented. As certificates are quite cheap, we instead recommend purchasing a certificate, instead of using Let's Encrypt. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts