Update key pinning hash

[rugk]

Dear Threema Gateway User

For more “Swissness”, and to increase the level of trust (Organization Validation), we are switching our server certificates to SwissSign. On 01.12.2016 at 10:00 CET, the certificate for the web host https://msgapi.threema.ch (which you use for communicating with Threema Gateway) will be changed.

If the HTTPS client that you employ for communication with Threema Gateway uses one of the common CA lists (e.g. Mozilla CA store/NSS) or does not verify server certificates, then you don't need to do anything. The root certificate of SwissSign is already contained in common CA lists. If you have included our old certificate (GeoTrust RapidSSL) manually, you need to make the root certificate of SwissSign Gold G2 available to your HTTPS client.

The root certificate of SwissSign Gold G2 can be found here: https://swisssign.net/cgi-bin/authority/download?ca=Gold%20G2 (other formats see: https://swisssign.net/cgi-bin/trust/import).

If you have any questions concerning this certificate change, contact us at support-gateway-service@threema.ch.

Best regards, Threema Gateway

[rugk]

The HPKP header of Threema has not changed, so they might use the same keypair and therefore the pinning might continue to work.

[rugk]

Okay the key is a different one.

So old key: pin-sha256="PI1YNwkAgVLVmnydc84An+4reEMvoXcYCEgFP0WEF2Y=" (already included) SwissSign cert: pin-sha256="8SLubAXo6MrrGziVya6HjCS/Cuc7eqtzw1v6AfIW57c=" (already included) New backup: pin-sha256="8kTK9HP1KHIP0sn6T2AFH3Bq+qq3wn2i/OJSMjewpFw="

So I create a PR, which I can merge at 2016-12-01.