Hello Baqir, Google frequently rotates leaf certificates and keys, and our intermediate and root may change at any time without notice.
If you wish to pin against a service that’s running on Google’s infrastructure, you must be serving with your own certificates. Once you are pinning against keys that you control, we may advise you that pinning is complex and dangerous, but you can fundamentally do what you choose. Since you are not using Cloud Endpoints, you can set up your own custom domain and use your own certficates <https://cloud.google.com/appengine/docs/ssl> for your Google App Engine application. I hope this helps. On Friday, February 16, 2018 at 12:01:00 AM UTC-5, baqir rizvi wrote: > > I want to protect my google cloud endpoint APIs from man in the middle > attack using SSL Pinning through OKHTTP CertificatePinner > <https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinner.html>. > Before I proceed, I have few questions in my mind: > > (hostname is "[email protected]") > > 1. does google changes its server certificate along with CA > certificates i.e. renewing certificate time to time? > 2. does google notify us that its going to renew the certificate.? > 3. do we also require to update the pinned certificate at the client > side whenever google changes its certificates.? > 4. what is the best way to achieve that or any other suggestion is > welcome > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/4d2c7542-c1b5-49eb-8e4d-4ff85193d009%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
