I have an app that has a site certificate hash pinned with OkHttp3 similar to the method mentioned here
The site certificate is about to expire soon though and I realized that I need to be able to support a new site certificate as soon as I switch update that on the site, as well as let the current one still work until then. Is there a way to pin 2 certificates for the same site so that both are supported seamlessly (i.e when the current one expires and one is no longer valid as well as the new one as soon it is updated)?
TIA
This is the documented behaviour of CertificatePinner. So just add pins for your current and old certificate.
Confirms that at least one of the certificates pinned for hostname is in peerCertificates. Does nothing if there are no certificates pinned for hostname. OkHttp calls this after a successful TLS handshake, but before the connection is used.
n.b. Because of the expiry of your certificates may happen before old clients update, it is usually advised to also pin against the CA you use also which is quite likely to be consistent across old and new certificates. This will ensure even if your current and next certificate expire or are revoked, you would be able to authenticate with a new certificate generated and older clients.
https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625