Hi Jack,

Thank you for reaching out about the SSL certificate change on _.up.railway.app.

I understand this change has impacted your mobile app's functionality. However, I want to clarify that certificate updates are a routine part of our security maintenance process. While the previous certificate may not have expired, it's standard industry practice to rotate certificates proactively to maintain the highest level of security for all our users.

The current certificate will remain in place as part of our security practices. Certificate rotations will continue to occur as part of our normal operations, without advance notifications.

Best regards,

Brody

Hi Brody,
If you change the certificate without prior notice, how can I ensure the industry-standard availability requirements for my users while maintaining security requirements? Releasing a new mobile application with the new certificate built in takes 1-2-3 days, depending on the speed of the App Store Connect and Google Play Console review processes.

How can a company security process be accepted at Railway that does not ensure smooth customer service for mobile application operators?
Best regards, Jack

Hello,

Your app should be using the phone's Root X1 or R11 certificates to verify our certificate, you should not be baking in our current certificate's fingerprint into your application.

With proper certification validation on your part from within your app, you can ensure your users will have a smooth experience without having to update your app whenever we renew our Let's Encrypt certificates.

Best,
Brody