To explain the situation a bit:
I'm building an iOS application that uses SSL pinning. I've created a self-signed certificate authority that issues SSL certificates to my web server, and the CA's certificate is bundled with the application for verification. I'd like to use letsencrypt to create the SSL certificates for the web server so that they are trusted implicitly by web browsers, but their certificates wouldn't be signed by my CA so this wouldn't work in the application. (It's worth noting that certificates issued by letsencrypt are very short lived, so they can't be used directly for SSL pinning).
So I'd like to generate a certificate using letsencrypt and then cross-sign it with my CA. Is this possible?
Best Answer
A certificate can only contain a single signature. But, since you are using SSL pinning anyway there is no need to have your own CA, because inside your iOS app you simply check the public key fingerprint. As long as you use the same key pair when renewing the certificate with letsencrypt the public key fingerprint fully identifies the certificate also after renewing.