How does the X.509 certificate upgrade impact users?

Background

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the hostname/domain, organization or individual contained within the certificate.

On 5 November 2019, Procore will be updating the public TLS/SSL X.509 server certificates for the app.procore.com and login.procore.com domains. We are upgrading from using wildcard certificates to certificates that match the fully qualified domain name. Although wildcard certificates may be convenient, they violate the security principle of least privilege. The potential that a certificate's private key may be compromised increases where multiple systems share a wildcard certificate. Additionally, the perceived value of this key to attackers is significantly increased, making it a more attractive target.

Answer

In cases where users employ certificate pinning, web clients are pre-configured to know what server certificate they should expect. In this scenario, the updated X.509 certificate will not match the pre-configured certificate and the client will prevent the session from taking place. If you begin experiencing connectivity issues with Procore after the X.509 certificate upgrade, reach out to your IT department assistance. Your web clients will need to be updated to properly handle the new certificate. If on the other hand, your web clients are not configured for certificate pinning, then no action is required - these changes should be seamless. At most, you might be required to re-authenticate after the certificates have been updated.