Some more:

washingtonpost.com, cdc.gov, dell.com, jpl.nasa.gov, mastercard.com

api.cybersource.com

This is gonna cause me some headaches, along with everyone else who processes payments through Cybersource, and possibly others :(

CYBS Engineer here.

We're already working on it. Keep an eye for merchant notifications if you use certificate pinning.

Now, back to rotating certificates....

Maybe you (or anyone) could shed light on something for me?

I'm sure leaf certificate pinning is very common among your customers. Assuming that pinning is a manual process where customers decide to implicitly trust a specific cert, what's the point of using a third party CA for those customers all?

Does anybody self-sign or use a private CA on specific endpoints with longer certificate validity, and let the pinning customers use those?

We have explicitly told customers not to pin our certificates and if they suffer downtime due to pinning it will not be considered a breach of our SLA.

We have one customer who has demonstrated enough competence with certificates that we create a private ca endpoint and let them use that. The private root lasts around 5 years, and they pin to that.

Out of curiosity, is your organization planning to switch to Let's Encrypt or just another year long certificate provider?

It'll be interesting to see what, if any, organizations affected by this switch to: Stick with 1 YR certs or go to the future with free 90 days?

I'm curious why that is. Is your API client using a root store that doesn't contain CAs other than Entrust, or pinning to an Entrust CA?

I work on a managed platform (Salesforce B2C Commerce Cloud). Accessing and verifying CAs isn't something that's regularly done, but at least it's editable from the web management UI.