Certficate Pinning: Should I Pin The Leaf Or Intermediate?
Answer : You can pin leaf, intermediate CA, or root CA. All will work, but each comes with a usability / security tradeoff depending on the details of your setup. The article you link actually gives a fairly good run-down of the differences: Leaf certificate. By pinning against your leaf certificate you are guaranteeing with close to 100% certainty that this is your certificate and thus the chain is valid. Leaf certificates tend to have a short expiry time and if, for instance, the SSL certificates are re-issued because the private key is compromised your app will be bricked until you can push an update out. Of course the same may also be true if you frequently cycle your certificates. Intermediate certificate. By pinning against the intermediate certificate you are trusting that intermediate certificate authority to not mis-issue a certificate for your server(s). This also has the advantage that as long as you stick to the same certificate provider then any changes to your le...