What Is Certificate pinning? Security Definition
On This Page
What do you want to do?
Quick Definition
Certificate pinning is a way to prevent fake websites from tricking your device. Normally, your device trusts any certificate signed by a trusted authority. Pinning says: only trust this one specific certificate, no matter who signed it. This stops attackers from using a valid but fraudulent certificate to intercept your data.
Common Commands & Configuration
openssl s_client -connect example.com:443 -showcerts 2>&1 | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | head -n 30Retrieves the certificate chain from a server for pinning; used to extract the public key or certificate to embed in a client application.
Tests understanding of how to obtain certificates for pinning, especially in CISSP and Security+ exam scenarios.
openssl x509 -in cert.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64Generates the Subject Public Key Information (SPKI) fingerprint in Base64 format for pinning in mobile apps or web clients.
Commonly tested in CySA+ and AWS-SAA exams as the standard method to produce a pinning hash for certificate or public key pinning.
certutil -store -user My 2>&1 | findstr /C:"SSL"Windows command to list user certificate store entries for SSL; used to identify pinned certificates for applications like MD-102 or MS-102 managed endpoints.
Appears in MD-102 and MS-102 exams for managing certificate pinning in enterprise environments with Intune.
netsh http add sslcert ipport=0.0.0.0:443 certhash=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890 appid={12345678-1234-1234-1234-123456789abc}Pins an SSL certificate to a specific port and application on Windows Server, used for IIS or custom server binding.
Tested in AZ-104 and MS-102 exams for securing Azure VMs or on-premises servers with certificate pinning in load balancer scenarios.
curl --pinnedpubkey 'sha256//AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz' https://example.comUses curl with a pinned public key hash to validate the server certificate against the expected key, failing if mismatch occurs.
Appears in AWS-SAA and Security+ exams as a client-side method to enforce certificate pinning in CI/CD or automated testing.
okhttp3.CertificatePinner certificatePinner = new okhttp3.CertificatePinner.Builder() .add("example.com", "sha256/AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz==") .build();Android/Java code snippet to configure certificate pinning in an OkHttp client for mobile or backend applications.
Frequently referenced in CySA+ and CISSP exams for mobile security controls and developer implementation of certificate pinning.
openssl s_client -connect example.com:443 -servername example.com 2>&1 | openssl x509 -noout -fingerprint -sha256Retrieves the SHA-256 fingerprint of the server certificate, useful for comparing against a pinned fingerprint in configuration files.
Exams like Security+ and SC-900 test this command as a troubleshooting step for mismatched certificate pins.
Certificate pinning appears directly in 4exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Certificate pinning appears across multiple IT certification exams, especially those focused on security and cloud architecture. For the CompTIA Security+ exam, pinning is a topic under the “Secure Network Architecture” and “Identity and Access Management” domains. You may be asked to identify the purpose of pinning in a scenario where an organization wants to prevent man-in-the-middle attacks using a rogue CA. The question might describe an environment where an internal CA is used, and you need to choose the best technique to ensure that only certificates from that specific CA are trusted. Pinning is often contrasted with certificate revocation lists (CRLs) and OCSP stapling.
For the CISSP exam (ISC2 domain 3: Security Architecture and Engineering), pinning is discussed in the context of PKI and cryptographic controls. You may see questions that ask about the difference between certificate pinning and public key pinning, or the risks associated with HPKP. The CISSP exam expects you to understand the operational trade-offs: pinning increases security but reduces flexibility. You might be given a scenario where a system uses pinning and the certificate expires, causing an outage, and asked to identify the best mitigation.
For AWS Solutions Architect Associate (SAA-C03), pinning comes up in the context of API Gateway, CloudFront, and mobile app security. The exam may ask how to ensure that an API endpoint is only accessed by a legitimate mobile app, and one of the answers could involve using certificate pinning with client certificates. You need to know that AWS Certificate Manager (ACM) handles certificate rotation, and if you pin a certificate, you must update your app whenever the certificate is renewed. AWS recommends using public key pinning instead of certificate pinning for this reason.
In Microsoft exams like AZ-104 (Azure Administrator) and MS-102, pinning is less direct but appears in questions about Azure Application Gateway, Web Application Firewall (WAF), and Azure Front Door. You might need to configure end-to-end TLS with pinning for internal services. The exam could ask about scenarios where a customer wants to ensure that clients only trust the specific certificate from the organization’s internal PKI.
For CySA+ (CompTIA Cybersecurity Analyst), you may encounter questions about detecting and preventing certificate-based attacks, including man-in-the-middle attacks that use forged certificates. Pinning is one of the defensive measures you should know, along with HSTS and certificate transparency. The exam may ask which technique would most effectively prevent an attacker from using a fraudulent certificate from a compromised CA.
For SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), pinning is a minor topic but may appear in questions about defense-in-depth strategies. You should understand basic concepts like how pinning prevents MITM attacks, even if you don’t need to know the technical implementation details.
In general, exam questions about certificate pinning are scenario-based. You are given a situation where an organization wants to protect a high-value connection, such as a mobile banking app or a sensitive internal API. The correct answer will involve pinning the server’s certificate or public key. Distractors might include using a wildcard certificate, enabling HSTS, or implementing OCSP. The key differentiator is that pinning removes trust in all CAs except the pinned one.
Simple Meaning
Imagine you have a secret pen pal named Alice. You only want to write to Alice and no one else. The postal service checks that letters addressed to you come from a real mailbox, but sometimes a fake mailbox that looks just like the real one can be created. Normally, you would trust any letter that comes with an official stamp from the post office. But with certificate pinning, you decide you will only accept letters that have Alice’s specific handwriting, no matter what stamp is on the envelope. Even if someone else gets an official stamp and writes to you in a different handwriting, you know it’s not Alice and you throw the letter away.
In the digital world, certificates are like official stamps. They are issued by trusted companies called Certificate Authorities (CAs) to prove that a website is who it says it is. Normally, your device trusts any certificate that has a valid stamp from a CA. This works well most of the time. But if an attacker gets a CA to issue a fraudulent certificate for a website they don’t own, they can intercept your connection and steal your information. Certificate pinning solves this by telling your device: ignore all stamps, only trust this exact certificate that I know belongs to the real website.
For example, when you install a banking app on your phone, the app can be programmed to only accept the bank’s specific certificate. If an attacker tries to use a different certificate to impersonate the bank, the app will refuse to connect. This is like telling your phone, “Only talk to the bank if it shows you this exact ID card, and don’t accept any other ID even if it looks official.”
Certificate pinning is especially important for apps and systems that handle sensitive data, like banking, email, or corporate networks. However, it also has a downside. If the website or app needs to update its certificate for a legitimate reason, such as renewal or expiration, the pinned certificate must be updated on every device that uses it. If not updated, the app or system will not be able to connect, even to the real website. This is like changing your lock and forgetting to give the new key to your friend, they can’t get in even though they are supposed to.
Full Technical Definition
Certificate pinning, also known as public key pinning, is a security mechanism used in Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). The core purpose of pinning is to associate a host (server) with an expected certificate or public key. This association is enforced by the client, such as a web browser, mobile app, or operating system, which will only establish a secure connection if the server presents a certificate that matches the pinned value. The pinning can be implemented in various ways, including hardcoding the certificate or its public key hash into the application code, using HTTP Public Key Pinning (HPKP) headers, or using Certificate Transparency (CT) logs with Expect-CT headers.
In a standard TLS handshake, the client verifies the server’s certificate by checking that it is signed by a trusted Certificate Authority (CA). This trust model is hierarchical and relies on a list of root CAs stored in the client’s trust store. The vulnerability in this model is that any CA can issue a certificate for any domain, and if a CA is compromised or coerced, it may issue fraudulent certificates. Certificate pinning addresses this by bypassing the CA trust chain for a specific server. Instead, the client directly checks that the server’s certificate matches a pre-configured pin.
There are two primary methods of pinning: certificate pinning and public key pinning. Certificate pinning involves pinning the entire certificate, including its serial number, issuer, and validity period. This is very strict because if the certificate is renewed, the pin must be updated. Public key pinning, on the other hand, pins only the public key contained within the certificate. Since a public key can remain the same across certificate renewals, this method is more flexible. The public key is hashed using a cryptographic hash function like SHA-256, and the resulting hash is stored as the pin.
HTTP Public Key Pinning (HPKP) was a standard defined in RFC 7469 that allowed web servers to instruct browsers to pin their public key for a certain period. The server would send an HPKP header in its response, containing one or more base64-encoded SHA-256 hashes of public keys. The browser would then enforce that future connections to the domain use a certificate whose public key matches one of the pinned hashes. However, HPKP was deprecated by major browsers due to the risk of permanent denial of service if a site administrator lost control of the private key or failed to update pins before certificate expiration. The deprecated status does not mean the concept is dead; it is still widely used in mobile apps and internal enterprise systems.
Modern alternatives to HPKP include Certificate Transparency (CT) and Expect-CT headers, which audit certificate issuance rather than pinning specific certificates. Also, browsers now implement a form of pinning for their own root programs, such as Chrome’s static pinning for Google domains and Firefox’s pinning for Mozilla services. In mobile app development, pinning is typically implemented in the application code using frameworks like OkHttp for Android, NSURLSession for iOS, or by embedding the server’s certificate or public key hash directly in the app’s resources.
In corporate environments, certificate pinning is often used with internal Certificate Authorities (CAs). For example, an enterprise may deploy its own CA to issue certificates for internal services. Client devices can be configured to pin the root CA certificate or the intermediate CA certificate, ensuring that only certificates from that specific CA are trusted. This provides a defense against rogue certificates issued by external CAs for internal domain names.
The implementation of pinning requires careful planning. Pins must be backed up and must have a mechanism for update. Many implementations use backup pins, which are pins for a second key pair that is stored securely offline. If the primary key is compromised or the certificate expires, the backup pin can be used to allow a seamless transition. Client applications also must handle pin validation failures gracefully, offering clear error messages and fallback mechanisms if possible.
From a security perspective, certificate pinning is a strong defense against man-in-the-middle (MITM) attacks and CA compromise. However, it introduces operational complexity. A single misconfiguration can break connectivity for all users until the app is updated. Therefore, it is most appropriate for high-security environments where the risk of a CA breach is considered unacceptable, and the organization has mature certificate lifecycle management processes.
Real-Life Example
Imagine you are the manager of a very exclusive nightclub. The club has a strict rule: only people whose names are on the VIP list can enter. The door security guard has a clipboard with the names of all the VIPs. When someone shows up and claims to be a VIP, the guard checks their ID. Normally, the guard would trust any ID that looks official, a driver’s license, a passport, or a club membership card. But you are worried that someone might forge an ID using a real government template. So you take extra precautions: you tell the guard to only trust IDs that have a specific hologram that only your club’s printer can make, and to also check that the person’s face matches the photo exactly, regardless of how official the ID looks.
Now, the club has a problem. One day, the VIP list needs to be updated because a new member joins. The guard’s clipboard must be updated, but the update process is slow. While waiting, a legitimate VIP with a valid ID is turned away because the guard’s list hasn’t been updated yet. This is exactly what happens when a certificate pin is not updated on a client device. The device refuses to connect to a legitimate server because the server’s new certificate does not match the old pin.
In another scenario, a rival club owner tries to get into your club using a fake ID that looks exactly like a real one, but the hologram is slightly off. Because you have pinned the hologram, the guard catches the fake immediately. This is like a CA issuing a fraudulent certificate for a bank’s domain. Without pinning, the browser would trust the fake certificate because it was signed by a legitimate CA. With pinning, the browser rejects the fake because the certificate’s public key hash doesn’t match the pinned value.
The real world of IT is similar. A typical user’s browser trusts hundreds of root CAs. If any one of them is tricked into issuing a certificate for a high-value site like a bank, the user’s connection can be intercepted. Pinning removes the need to trust all those CAs for that one site. Instead, the user’s device trusts only the specific certificate that the bank deliberately installed. This greatly reduces the attack surface, but it also creates a dependency: every time the bank’s certificate is renewed, every user’s app must be updated, or the bank must use a pin that allows for key rotation.
Why This Term Matters
Certificate pinning matters because it addresses a fundamental weakness in the TLS trust model. The public key infrastructure (PKI) relies on Certificate Authorities to validate identities, but CAs can be compromised, coerced, or make mistakes. There have been well-documented incidents, such as the DigiNotar breach in 2011, where a Dutch CA was hacked and issued fraudulent certificates for Google, Yahoo, and other domains. Without pinning, those fraudulent certificates would have been trusted by all major browsers, allowing the attackers to eavesdrop on encrypted traffic.
For IT professionals and security architects, pinning provides a way to enforce a security boundary that is independent of the CA ecosystem. In enterprise environments, an organization may not fully trust every CA in the browser’s root store. By pinning internal services to a specific internal CA or to the specific certificate of the server, the organization ensures that only its own infrastructure can be used to authenticate its services. This is critical for preventing man-in-the-middle attacks from within the network, such as those performed by malicious devices on the same Wi-Fi network.
Pinning also matters for mobile app security. Mobile apps often communicate with backend APIs over HTTPS. If a user installs a rogue certificate on their device to intercept traffic, the app would normally still connect because the rogue certificate is trusted. With pinning, the app verifies that the server’s certificate matches the hardcoded pin, even if the device’s trust store has been modified. This is especially important for apps that handle financial transactions, healthcare data, or corporate credentials.
On the flip side, pinning can be a liability if not managed well. It can lead to service outages if certificates are rotated without updating pins. It also complicates the development and deployment process because any change to the server’s certificate requires an app update. This operational overhead means that pinning is not always the right choice. For many applications, relying on Certificate Transparency and strict CA validation is sufficient and more maintainable.
Ultimately, pinning is a tool in a larger security strategy. It is not a silver bullet, but it is a powerful defense when applied correctly to high-value targets. Understanding when and how to use pinning is a key skill for security professionals, system administrators, and developers.
How It Appears in Exam Questions
Certificate pinning questions in IT certification exams typically fall into three categories: scenario-based selection, configuration choices, and troubleshooting. In scenario-based questions, the exam presents a situation where a company uses a third-party API or a mobile app that connects to a backend server. They want to ensure that even if the user’s device has a compromised certificate store, the connection remains secure. The question will ask: “Which of the following should the developer implement to ensure the app only trusts the company’s server?” The correct answer is often “Implement certificate pinning in the mobile app.”
Configuration questions might appear in Azure or AWS exams. For example, in AWS, you might be asked: “A company uses AWS API Gateway with a custom domain name. They want to ensure that client applications only trust the API Gateway certificate. What should they do?” The answer could involve using a client certificate pinned to the API stage, or configuring a custom authorizer that validates the client certificate. In Azure, a question might ask: “You have an Azure Application Gateway that terminates TLS. You need to ensure that backend servers only accept connections from the gateway. What should you configure?” The answer might be to configure certificate pinning on the backend server to only trust the Application Gateway’s certificate.
Troubleshooting questions are also common. For instance, a user reports that a mobile banking app stopped connecting to the server after an update. The server’s certificate was renewed, but the app was not updated. The question asks: “What is the most likely cause of the connection failure?” The answer is that the app has certificate pinning and the pinned certificate no longer matches the server’s new certificate. A follow-up question might ask for the solution, which would be to update the app with the new pinned certificate or implement public key pinning instead.
In Security+ and CySA+ exams, you may see questions about HPKP specifically. Even though HPKP is deprecated, it is still covered for historical understanding. A question might ask: “An organization implemented HPKP for its public website. After a major infrastructure change, users cannot access the site. What is the most likely cause?” The answer is that the new server certificate does not match the pinned public key, and the HPKP header is still active.
Another common pattern is a scenario where a company wants to allow only certain internal clients to access a sensitive service. The question might ask: “Which method should be used to ensure that only clients with a specific certificate can connect?“ This is client certificate authentication, not pinning, but the two are often confused. Pinning is about the client verifying the server; client certificates are about the server verifying the client. Exam questions will test your ability to distinguish between these concepts.
Finally, you may encounter questions that compare certificate pinning with other security controls like HSTS, TLS, and OCSP. For example, “A security analyst recommends implementing a control that prevents the use of a fraudulent certificate issued by a compromised CA. Which control would be most effective?” The answer is certificate pinning, because it does not rely on the CA hierarchy to validate the certificate.
Practise Certificate pinning Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized healthcare company, MedSecure Inc., develops a mobile app for patients to access their medical records. The app communicates with a backend API at https://api.medsecure.com. The company wants to ensure that even if a patient’s phone has a malicious root certificate installed (perhaps through a phishing attack), the app will never connect to a fake server that impersonates the real API.
The development team decides to implement certificate pinning. They obtain the SHA-256 hash of the public key from the server’s certificate for api.medsecure.com. They hardcode this hash into the mobile app’s configuration file. When the app starts a TLS connection to the server, it performs the standard certificate validation, but then it also computes the hash of the server’s public key and compares it to the hardcoded pin. If the hashes do not match, the app immediately terminates the connection and shows an error message to the user: “Unable to connect. Please contact support.”
One month later, a security researcher discovers that a small Certificate Authority used by MedSecure’s hosting provider has been compromised. The attacker obtains a valid certificate for api.medsecure.com from that CA. They set up a fake server and try to intercept patient traffic on a public Wi-Fi network. Without pinning, the patients’ devices would accept the fraudulent certificate because it is signed by a trusted CA. However, because the app has pinned the real server’s public key, the fraudulent certificate’s public key hash does not match. The app refuses to connect, and the attacker’s attempt fails.
Six months later, MedSecure renews its TLS certificate for api.medsecure.com. The new certificate uses a different key pair. The app, which still has the old public key hash, now fails to connect to the legitimate server. The company realizes its mistake: they did not implement a backup pin or a mechanism for updating the pin without a full app update. They push a critical app update with the new hash, and also decide to switch to public key pinning with a backup key for future rotations.
This scenario illustrates both the strength and the operational challenge of certificate pinning. The company successfully prevented a sophisticated MITM attack, but they also caused a temporary outage when the certificate was renewed without updating the app. In an exam, you might be asked to identify the vulnerability in this scenario or to recommend a better approach, such as using public key pinning with a backup key.
Common Mistakes
Thinking certificate pinning is the same as using a self-signed certificate.
A self-signed certificate is not trusted by any CA and is used to encrypt traffic without identity verification. Pinning is a technique used on top of a valid CA-issued certificate to ensure only that specific certificate is trusted. They serve different purposes.
Use a CA-issued certificate for your server, then pin that certificate’s public key in your client to enforce trust.
Believing that certificate pinning makes certificate revocation unnecessary.
Pinning does not replace revocation. A pinned certificate can still be compromised. If the private key of a pinned certificate is stolen, the attacker can use it until the pin is updated. CRL and OCSP are still needed to check revocation status.
Implement certificate revocation checking (OCSP stapling) even when using pinning, and have a plan to rotate pinned keys quickly.
Setting pins for every domain in an application, including less sensitive ones.
Pinning increases operational complexity and risk of connectivity issues. It should only be used for high-value domains. Over-pinning can lead to frequent outages and maintenance headaches.
Only pin certificates for critical services such as authentication endpoints, payment gateways, and APIs handling sensitive data.
Hardcoding a single certificate pin without a backup pin.
If the primary certificate expires or its private key is lost, the service becomes unreachable until the entire application is updated. This can cause a denial of service.
Always include a backup pin for an offline key pair that can be used to issue a new certificate without breaking connectivity.
Confusing certificate pinning with client certificate authentication.
Pinning is the client verifying the server’s certificate. Client certificate authentication is the server verifying the client’s certificate. They address different parts of the TLS handshake.
Use pinning for server verification. Use client certificates for mutual TLS when both sides need to authenticate.
Assuming that pinning protects against all man-in-the-middle attacks.
Pinning protects against MITM attacks that use fraudulent certificates from CAs. However, it does not protect against attacks that compromise the pinned server itself, nor against DNS spoofing that redirects traffic to a different server with a different certificate that may still be pinned (if the attacker controls the pinning logic).
Combine pinning with other controls like HSTS, DNSSEC, and strict transport security to reduce overall attack surface.
Exam Trap — Don't Get Fooled
{"trap":"The exam asks: “A security engineer wants to prevent an attacker from using a fraudulent certificate from a compromised CA. Which mechanism should they implement?” The options include Certificate Pinning, HSTS, OCSP Stapling, and DNSSEC.
Learners often choose OCSP Stapling because it checks revocation, but the question is about preventing the use of a fraudulent certificate from a compromised CA, not revoking a known bad one.","why_learners_choose_it":"Learners think OCSP stapling checks if a certificate is revoked, and a fraudulent certificate from a compromised CA would be revoked. However, revocation is a reactive measure and relies on the CA to publish revocation info promptly.
The CA may not even know it has been compromised until later, so OCSP may not catch it in time.","how_to_avoid_it":"Understand that pinning is a preventive measure that does not rely on the CA’s honesty. It trusts only the specific pinned certificate regardless of CA status.
When the question asks for prevention of fraudulent certificates from a compromised CA, the proactive solution is pinning, not reactive revocation checking."
Commonly Confused With
Certificate revocation is a mechanism for invalidating a certificate before its expiration. Pinning is for forcing trust in only a specific certificate or public key. Revocation is reactive; pinning is proactive. They can be used together.
Revocation is like a store putting a sign that says “Stop accepting this ID.” Pinning is like a bouncer who only lets in people with a specific VIP pass, ignoring all other IDs.
HSTS tells browsers to only connect to a domain over HTTPS, preventing downgrade attacks. It does not verify the certificate’s identity beyond standard validation. Pinning actually validates the certificate content itself. HSTS ensures the connection is encrypted, but it does not prevent a fraudulent certificate from being used.
HSTS is like a sign saying “Use the front door only.” Pinning is like checking the person’s fingerprint before letting them in.
Client certificate authentication is when the server asks the client to present a certificate to prove the client’s identity. Pinning is the opposite: the client checks the server’s certificate. They serve different authentication directions.
Client certs are like showing your ID at the entrance; pinning is like the entrance checking the building manager’s ID to make sure you are at the right place.
Certificate Transparency is a framework for logging all certificates issued by CAs, so that any suspicious issuance can be detected by domain owners. It does not prevent the use of a fraudulent certificate; it only makes it more likely to be discovered. Pinning actively stops the fraudulent certificate from being accepted.
CT is like a public registry of all IDs issued; if a fake ID is made, you can check the registry. Pinning is like your security guard already having the only ID they will accept.
A self-signed certificate is not signed by any CA and is typically used for internal testing or where trust is established out-of-band. Pinning is often applied to CA-signed certificates to add an extra layer of trust. The two concepts are independent.
A self-signed certificate is like a handwritten note; pinning is like verifying that note matches the only note you expect to see, even if it’s handwritten.
Step-by-Step Breakdown
Client initiates TLS handshake
The client (app or browser) sends a ClientHello message to the server, indicating it wants to establish a secure connection. The server responds with its certificate chain, which includes the server’s certificate and possibly intermediate CA certificates.
Standard certificate validation
The client performs standard TLS validation: it checks that the certificate is not expired, matches the domain name, and is signed by a trusted Certificate Authority in its trust store. If any of these checks fail, the connection is terminated. This is the baseline security check.
Pinned hash extraction
If certificate pinning is implemented, the client now extracts the pinned information from its local configuration or code. This can be a hash of the certificate’s public key, or the entire certificate itself. The client has a list of one or more pins for the target server.
Compute hash from server’s certificate
The client computes the SHA-256 hash of the server’s certificate’s public key (or the certificate itself, depending on the implementation). The same hashing algorithm used when the pin was created must be used. For example, it takes the SubjectPublicKeyInfo field of the server’s certificate and hashes it.
Compare computed hash to pinned hash
The client compares the hash computed in the previous step with the pinned value stored locally. If there is a match, the server is considered authenticated. If there is no match, the client checks if there is a backup pin. If none of the pins match, the connection is aborted.
Handle pin validation failure
If the pin does not match, the client must handle the failure. In a mobile app, this usually means the app throws a security exception and possibly logs the event. The user may see an error message like “Connection not secure.” The client should not attempt to fall back to standard validation, as that would defeat the purpose of pinning.
Establish encrypted session
If the pin matches, the TLS handshake continues. The client and server perform key exchange using ephemeral Diffie-Hellman (ECDHE) to generate session keys. All subsequent data is encrypted with those session keys. The client’s confidence is high because both the CA trust and the pin match.
Maintain and update pins
Over time, the server’s certificate will expire and be renewed. The client’s pins must be updated accordingly. For applications, this often requires an app update. For browsers using HPKP, the header directed the browser to enforce pins for a specified period (max-age). This step is critical for operational continuity.
Practical Mini-Lesson
Certificate pinning in practice requires careful planning and a well-defined lifecycle. As a security professional, you need to decide when to use pinning, which method to use, and how to manage pins over time. The first decision is the scope: pinning is best suited for high-security applications where the consequence of a man-in-the-middle attack is catastrophic, such as banking, healthcare, or internal corporate communications. For general public-facing websites, the operational overhead often outweighs the benefit, and other mechanisms like HSTS and Certificate Transparency are sufficient.
Once you decide to implement pinning, you must choose between certificate pinning and public key pinning. Public key pinning is preferred because it allows the certificate to be renewed without changing the public key. If you use the same key pair, you can obtain a new certificate with the same public key, and the pin remains valid. This is easier than certificate pinning, where the entire certificate must match, including the serial number and validity period. To change the public key, you can use a backup pin: you generate a second key pair and store it securely offline. You then pin both the primary and backup public keys. When it is time to rotate, you issue a new certificate with the backup key, update the pins in your client application, and deprecate the old key.
In mobile app development, pinning is implemented at the network layer. For Android apps using OkHttp, you can use the CertificatePinner class. For iOS apps using NSURLSession, you can implement URLSessionDelegate methods to evaluate the server trust and compare the certificate’s public key hash. Both platforms allow you to embed the hash in the app’s configuration. You should never hardcode pins in plain text that can be easily decompiled; instead, obfuscate or encrypt them. Also, test your pinning implementation thoroughly: a common mistake is to implement pinning in a debug build but leave it disabled in production.
Another practical consideration is the fallback behavior. If the pin check fails, the app should not silently connect. It should provide a clear error and log the event. However, you must also consider the user experience: if the error is due to a legitimate certificate rotation that the app has not yet been updated to support, users will be locked out. To avoid this, some organizations implement a “pinning grace period” where the app checks the pin but still allows the connection if it fails, combined with a remote kill switch that can be updated via a server-side configuration. This is risky but can prevent mass outages.
For web applications, HPKP is deprecated, but you can still implement pinning using a service worker or by embedding pins in the application JavaScript. However, this is less reliable than native app pinning. Most modern browsers now rely on static pinning for their own trusted sites and on Certificate Transparency for the rest. As an IT professional, you should stay current with browser security policies because they evolve.
Finally, always monitor your pinned endpoints. Use logging and alerting to detect when a pin validation fails. This could be a sign of an attack or a misconfiguration. In enterprise environments, use a centralized PKI management tool to track certificate expiration and ensure that pins are updated before the certificate expires. Automated certificate management with tools like cert-manager in Kubernetes can help, but the pin updates still require a client update unless you use public key pinning with a stable key pair.
pinning is a powerful but demanding security control. It requires rigorous planning, backup procedures, and regular maintenance. When done correctly, it provides a strong defense against CA compromise and MITM attacks. When done poorly, it can cause widespread outages and user frustration.
Troubleshooting Clues
Certificate pinning fails after server certificate renewal
Symptom: Application or client fails to connect to server with SSL/TLS errors, even though certificate is valid and trusted by root CA.
The pinned certificate hash or public key in the client code matches the old certificate; after renewal, the new certificate has a different public key or hash, causing pin validation to fail.
Exam clue: Exam questions often describe a scenario where a security update breaks connectivity due to certificate pinning, testing the need to update pinned hashes in client configurations.
Misconfigured intermediate CA certificate pinning
Symptom: Client connects to some servers but not others using the same domain; error 'certificate pinning failure' only on specific endpoints.
Intermediate certificates may differ between load-balanced servers or CDN nodes; pinning to an intermediate that is not consistent across all endpoints causes intermittent failures.
Exam clue: Tested in AWS-SAA and AZ-104 exams where multiple backend servers or TLS termination points (e.g., ELB, Application Gateway) use different intermediate CAs.
Pinning to leaf certificate instead of public key
Symptom: After certificate renewal, all clients fail to connect with 'pinning mismatch' errors immediately.
Leaf certificate changes on renewal (even with same key) can break pinning if the fingerprint includes the entire certificate; pinning to the public key avoids this if the key remains unchanged.
Exam clue: CISSP and Security+ exams emphasize the difference between certificate pinning (fragile) and public key pinning (more robust).
HPKP (HTTP Public Key Pinning) header not honored by modern browsers
Symptom: Legacy HPKP headers are ignored; clients connect without error despite mismatched pins.
HPKP was deprecated by major browsers (Chrome, Firefox) starting 2018-2020; modern security ignores the header, so pinning via HPKP is ineffective.
Exam clue: CySA+ and SC-900 exams test awareness of deprecated security mechanisms and recommend modern alternatives like Expect-CT or certificate pinning at the application layer.
Certificate pinning in mobile app fails after app update
Symptom: Old version of mobile app works; updated version fails to connect to backend even though backend certificate is unchanged.
Developers changed the pinned hash or added a new pinning rule in the app update, but the backend certificate does not match the new hash, often due to a mis-synchronized rollout.
Exam clue: Common scenario in MS-102 and MD-102 exams for Intune-managed app deployments where certificate pinning policies must be tested pre-release.
Pinning to an expired certificate
Symptom: Client shows 'certificate expired' error even though the server presents a valid, unexpired certificate.
The pinning configuration includes a hash of an older, expired certificate, and the client checks both the pin and certificate validity; the server's valid certificate does not match the expired pin hash.
Exam clue: Security+ and CISSP exams test the importance of updating pinned hashes alongside certificate lifecycle management.
Pinning fails due to SNI (Server Name Indication) mismatch
Symptom: Client connecting to a domain with multiple virtual hosts gets a certificate pinning error, but domain resolves correctly.
The server may present a default certificate (not matching the requested SNI hostname) causing the pinning check to fail; the client's pin is for the expected hostname's certificate.
Exam clue: Appears in AZ-104 and AWS-SAA exams for multi-tenant or shared hosting environments where SNI configuration affects certificate validation.
Large pin set causing performance degradation
Symptom: Application startup or connection establishment is significantly slower after implementing certificate pinning.
Pinning multiple backup keys (e.g., 10+ hashes) increases memory and computation per connection; mobile devices may experience lag during SSL handshake.
Exam clue: CySA+ and SC-900 exams test best practices for limiting the number of pinned keys to reduce attack surface and performance overhead.
Memory Tip
Remember “Pinning = Prevents Pseudo-PKI.” Pinning stops someone from using a fake certificate from a fraudulent CA, because you trust only the real key, not the entire CA system.
Learn This Topic Fully
This glossary page explains what Certificate pinning means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
Quick Knowledge Check
1.A company implements certificate pinning in its mobile app using the leaf certificate's SHA-256 fingerprint. After the certificate is renewed (new key pair), all users experience connection failures. Which change should be made to prevent this in the future?
2.An administrator notices that a web application using HPKP (HTTP Public Key Pinning) is being accessed without errors despite the server presenting a different certificate than the pinned one. What is the most likely cause?
3.During a security audit, an engineer extracts the SHA-256 public key fingerprint of a server certificate using OpenSSL. Which subsequent step is essential for proper certificate pinning in a client application?
4.A sysadmin implements certificate pinning on a Windows server using netsh http add sslcert. After a certificate renewal, the service stops accepting connections. What is the most likely cause?
5.A mobile app uses certificate pinning with OkHttp in Android. After the app is updated via Intune, some users on corporate devices cannot connect to the backend, while others on personal devices can. What is the most likely root cause?
6.An organization wants to implement certificate pinning for an API accessed by multiple microservices. Which approach provides the best balance between security and maintainability?