...
Pin Private CA +optionally Server Name | Pin Public CA +Server Name | Trust System Store +Server Name | |
|---|---|---|---|
| General | + highest security (no external party) + CA rollover "never" - needs expertise (run own PKI) - installer required (push and pin CA) | + high security (one external party) + no PKI knowledge needed - installer required (pin CA) - CA rollover approx every decade or with vendor change | + installer optional (can type credentials and server name) + no PKI knowledge required + CA rollover never - medium security (many external parties) |
| Windows | - built-in browser will trust the CA for websites(!) | ||
| Apple | |||
| Android | Android versions <4.3: only usable optionAndroid versions 4.3 - 7?: only via API, not configurable with UI | not securely possible with Android <4.3 | not securely possible with Android <4.3 |
| Linux | |||
| ChromeOS | |||
| other |