I have an app which connects to an API. The API TLS certificate is about to expire and we are using Public key Pinning.
How do I rotate the certs without disabling access to our users?
When rotating certs; can I change the private key without changing the public key? I assume no as they are a key pair. Can someone confirm?
What would be the point of rotating the cert only to update the expiry date? Surely someone investing sufficient time to compromise the private key can continue to do if only the expiry date variable is changed?
I understand if it coming close to expiry I should update the cert to prevent unavailability of the service but then is it recommended to have a long expiry date on the next rotation?
When keys are rotated (say I leave the public and private key the same); is there anything mathematically or from an encryption perspective that changes if only the expiry date has changed?