SSL Pinning
Overview
SSL Pinning enhances the security of the overall HYPR ecosystem and prevents MITM (Man-In-The-Middle) attacks. Before any HTTPS communication occurs, the client checks that the server is trusted by the client. After SSL Pinning is enabled, all subsequent registration, authentication, and de-registration requests are checked for a valid certificate. The client will check the certificate which server has and will make sure the client certificate hash matches the hash of the server certificate before proceeding withe any HTTPS request.
Prerequisites
Two different certificates are required for SSL Pinning to work. You can upload the certificates in the SSL Pinning section, located in the global Settings of the FIDO Control Center.
The Control Center supports certificates in the PEM format in Base64 ASCII. Only .pem, .crt, .cer file types can be uploaded to the Control Center.
Two SSL pins are required
The iOS app requires two SSL pins. Be sure to upload two certificates. File types supported include: .pem, .crt, and .cer
Integration
Step 1. Upload SSL Pinning Certificates
Step 2. Clicking the SSL Pinning toggle button will display a pop-up where you can upload certificates.
Step 3. View after uploading the first certificate
Certificates are required
If you are enabling SSL Pinning, be sure to upload two certificates. Uploading one certificate will fail the registration
Step 4. View after uploading two certificates
SSL Pinning Information
See the SSL Pinning information details below:
Field | Description |
|---|---|
Certificate | This is the file name of the certificate which is being uploaded. |
Valid From | This is the start date of the certificate from when it is valid from. |
Valid To | The expiry date of the certificate. |
Order | It can be primary or alternate. An admin can choose to make a certificate primary while uploading the second certificate. The primary will be one used for pinning and alternate can be used in place of primary when the primary expires. |
Status | It can be either active or expired. |
Actions | An admin can click on Delete to remove certificates. Please note that deletion will not revoke the certificates. |
Disabling SSL Pinning
An admin can disable SSL Pinning by clicking on the toggle button. A pop-up will appear to confirm if you want to disable SSL Pinning.
Note
Once you click Disable, certificates will be removed and pinning will be disabled. This cannot be undone and you will be required to upload certificates again to enable SSL Pinning.
What will happen if the certificate expire?
Currently, administrators can upload two certificate. If the primary gets expired then
- Admins can make the secondary as the primary for SSL Pinning.
- Replace the primary with a new valid certificate.
Updated about 2 years ago