AFNetworking certificate pinning and certificate revocation

| | August 7, 2015

When using a CA signed certificate in the public key pinning mode, do I really require the following values to be:

validatesCertificateChain = NO
allowInvalidCertificates = YES

I know I need to set allowInvalidCertificates = NO when using self signed but is that still the case where pinning to the public key of a ‘real’ cert?

Secondly how would this function if the certificate was revoked? My thought is that things would keep working as pinning basically ignores the CA trust chain. If this is the case is there a way to also check the chain such that a revoked certificate is rejected as well as doing the public key pinning? Not sure if that is security overkill, or if AFNetworking already handles this…

Thanks.

Leave a Reply