If are hosting a copy of our nexus.ensighten.com domain certificate on your CDN, for instance if you are have a custom self-hosting solution, then you need a copy of our SSL certificate. Customers who host a copy of our certificate are responsible for maintaining their hosted copy up-to-date. Ensighten will include any changes to its certificate in its Release Notifications.
To retrieve a copy of the certificate, run below command in a terminal that has access to the internet:
echo | openssl s_client -connect nexus.ensighten.com:443 -showcerts
Please note that Ensighten provides a self-service First-Party-TDN solution as part of your Manage license. If you do not receive the Release Notifications and would like to be included, please contact Ensighten Support or your Ensighten Rep.
Do you pin nexus.ensighten.com's SSL Certificate?
If you host the Bootstrap on a CDN or have a different reverse proxy setup in front of Ensighten’s networks, you may be pinning our SSL certificate.
When Ensighten is re-issuing nexus SSL Certificates and you use a copy, we recommend that you unpin the nexus certificate. Once the certificate is reissued, feel free to pin the new certificate.
What Is SSL Pinning?
SSL Pinning is making sure the client checks the server's certificate against a known valid copy of that certificate. It is a mechanism used to protect against certificate mis-issuance from non well regulated root authorities. While this problem is not as common as it used to be thanks to the efforts of Google and Mozilla, certificate pinning is still one of the best protections you can implement to secure connections to outside resources.
Please note that this article explicitly is referring to SSL Pinning and not HPKP (HTTP Pubic Key Pinning)