# SSL Public Key Pinning Maintenance Briefing

> [!IMPORTANT]
> This document is critical for DevOps and Backend teams handling SSL certificate rotations for the Watson API.

## Overview
Watson uses **Public Key Pinning** (not full certificate pinning) for mobile app security. This ensures that even if a CA is compromised, the app only trusts certificates associated with a specific public key.

## Maintenance Requirements

### 1. Certificate Renewal (Same Private Key)
When the SSL certificate expires and is renewed using the **same Private Key/CSR**:
- The Public Key Pin remains unchanged.
- The mobile app will continue to function without any updates.
- **Action**: No app update required. This is the preferred method for rotation.

### 2. Certificate Renewal (New Private Key)
If a **new Private Key** is generated during renewal:
- The Base64 hash of the public key will change.
- **The app will immediately block all connections** (detecting it as a potential Man-in-the-Middle attack).
- **Action**: The new Base64 hash **MUST** be provided to the mobile team for an app update **BEFORE** the new certificate is deployed to the live server.

## Actionable Advice for DevOps
- **Always** attempt to keep the same Private Key when rotating SSL certificates to avoid service disruption.
- If a security policy requires a new Private Key, coordinate with the mobile team at least 2 weeks in advance to ensure the app update is distributed and adopted by users before the switch.

---
*Last Updated: March 2026*
