Hacker News new | past | comments | ask | show | jobs | submit login

I can't say I know, but I don't think they can simply replace them at will, otherwise wouldn't existing certs just stop working?



The intermediates can be replaced without issues, as long as they link to the same root certificates. That's the standard way to rotate them when they expire, or get compromised.


When are you talking about them being replaced? Because I thought website certificates embed the signature of the signer (the intermediate), so if the intermediate is revoked, my website's certificate won't work anymore. If that's the case I should be fairly safe pinning the intermediate for as long as my website certificate is valid.


Ah, yes, but my suggestion was to pin the root.


CAs will not arbitrarily throw out their root certificates (they're quite expensive and valuable), so you'll be fine pinning to a root. I'd advise against it when you use OV or EV certificates though, as it'd allow for a DV certificate to still work.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: