Do you support certificate and/or public key pinning for TLS connections?

This is not a feature we offer by default for customers as the Ably platform needs to reserve the right to change certificates for a number of reasons, such as if we are under a monumental DDoS attack, we may change our default endpoints and potentially the certs as a result.

 

However, if an organization does require certificate or public key pinning, we can offer this as follows:

 

  • Customers must provide two certificates that will be used for pinning (primary and secondary)
  • We will set up dedicated endpoints and load balancers that serve these certificates, see custom CNAME endpoints for more info
  • We customise the client libraries a customer needs to support certificate pinning
  • Customers must be on an Enterprise plan
 
If you would like to discuss certificate pinning for your organization, then please get in touch.