This runbook defines a certificate and pin rotation process for pqmsg-server and Android clients in high-assurance deployments.
- active TLS deployment with
PQMSG_TLS_CERT_PATHandPQMSG_TLS_KEY_PATH, - Android clients using HTTPS with
BuildConfig.TLS_PIN_SHA256, - staged environment matching production hostnames.
Use overlapping validity and staged pin rollout:
- provision a new certificate for the existing hostname,
- compute the new SPKI SHA-256 pin,
- ship a client update that trusts both old and new pins during transition,
- deploy new server certificate,
- verify clients across supported versions,
- remove old pin in a subsequent client release.
For an X.509 certificate file:
openssl x509 -in server.crt -pubkey -noout `
| openssl pkey -pubin -outform der `
| openssl dgst -sha256 -binary `
| openssl base64 -APrefix output with sha256/ for Android pin format.
- Place new certificate and key files on host with restricted permissions.
- Validate key pair consistency before cutover:
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5- Restart
pqmsg-serverwith:PQMSG_SECURITY_PROFILE=high_assurance,- updated
PQMSG_TLS_CERT_PATH, - updated
PQMSG_TLS_KEY_PATH.
- Verify
/healthresponds andstrict-transport-securityheader is present. - Monitor error rates and failed TLS handshakes during rollout window.
- Build release with both active and next pins accepted by transport policy.
- Roll out client update before server cutover.
- Deploy server certificate.
- Observe successful app connectivity and handshake continuity.
- Remove legacy pin in next release after overlap window closes.
If post-cutover failures exceed threshold:
- revert server to previous certificate/key pair,
- keep both pins in client configuration until incident closure,
- publish incident note and revised rotation window.
- routine renewal target: every 60-90 days,
- pre-expiry alert threshold: 21 days,
- dry-run in staging before every production cutover.