1

What is a recommended way how to implement checkServerTrusted method for X509TrustManager? I need to use reimplement that for ssl pinning, but I can see just this implementation all the time:

public void checkServerTrusted(X509Certificate[] certificates, String authType)
    throws CertificateException {
    if ((certificates != null) && (certificates.length == 1)) {
        certificates[0].checkValidity();
    } else {
        standardTrustManager.checkServerTrusted(certificates, authType);
    }
}

taken from this response. However it seems to be wrong in my opinion. It only checks whether certificate is valid (not expired), but nothing else.

Is there any implementation you could recommend me, please?

Jakub Gruber
  • 745
  • 1
  • 11
  • 27

1 Answers1

0

Ok, the solution was not to use custom TrustManagers but just initialize KeyStore with my pinned ssl certificate.

Jakub Gruber
  • 745
  • 1
  • 11
  • 27
  • Usually you want to pin the key, not the certificate. Key pinning allows you to rotate certificates frequently, like every 30 days, and that keeps the CRLs small. Small CRLs are important for mobile clients. Depending how big your PKI is, it may be important for desktop clients, too. – jww Jul 10 '17 at 18:08
  • You mean initialize your *trust* store with the certificate. – user207421 Jul 11 '17 at 03:29