🛠️ Upcoming Certificate Update – Action Required for Clients Using Certificate Pinning
We will update the TLS certificates used to secure API connections to our services on May 7, 2025.
This change is unlikely to affect you, unless you have explicitly chosen to implement certificate pinning in your HTTPS client.
Impact
Clients utilizing certificate pinning may experience connection failures or trust errors following this update.
Action required
If you're affected, we recommend discontinuing the use of certificate pinning, as it is generally discouraged. However, if this isn't possible, instructions for pinning our new certificates are provided below.
We are moving to Amazon Web Services (AWS) certificates. AWS cross-sign an intermediate certificate with different root CAs. This ensures that the certificate is trusted by a wider range of clients, especially legacy systems or older devices that may only trust a certain root. But it also means that it is not enough to add a single root certificate to trust store.
AWS provides resources for certificate pinning here: https://www.amazontrust.com/repository/ (Trust Store and Pinning Recommendations).
To recap:
- Use public key pinning, not full certificate pinning:
- Pin all available root certificates found here: https://www.amazontrust.com/repository/
Testing
Testing can be performed by performing a HTTP get with the updated client to this endpoint:
https://staging-api.reepay.com/info/
If pinning has been successfully implemented, a connection will be established, and a JSON object will be returned.
Need Help?
If you need assistance or have concerns about this change, please contact: support@frisbii.com.