I’m considering hosting a web application on Cloudflare. My mobile app would communicate with the web application.
I would like to configure my mobile app to pin the public keys of the root CAs used by Cloudflare so that I can limit the set of certificates that are trusted. To be clear, I would want to pin the public keys of the root CA for my web app’s edge certificate since that’s the one the mobile app would see.
If I host my application on Cloudflare, will this be possible? Specifically, when the certificates of the CAs expire, will their replacement certificates have the same public keys.
I have searched the Community for this question and only found one post but it doesn’t quite describe what I am trying to accomplish.
I’m not sure why that’s really necessary. A legitimate SSL/TLS certificate should be enough (valid HTTPS connection). Pair that with DNSSEC and CAA records, and that should be enough. And it sure beats having your mobile app break because of a certificate change.
If you want to do anything related to Certificate pinning or TLSA, then you must control the certificates. Unless you are using Cloudflare Custom Certificates you are not in control of the certificates. Cloudflare can change the keys of your cert at any time, and the intermediate and roots can also change without your knowledge.
mTLS might be worth investigating as an alternative.