eastbaycyber

What Is Certificate Pinning?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Under normal HTTPS or TLS validation, a client checks whether a server certificate:

Certificate pinning is a security technique that tells an application to trust only specific certificates or public keys for a given server or service. Instead of relying solely on the normal TLS trust chain, certificate pinning adds an extra check so the app will accept only the expected identity for that connection.

This is mainly used to reduce some man-in-the-middle risks, especially in mobile apps and other controlled clients. For related background, see what is tls and what is man in the middle attack.

How certificate pinning works

Certificate pinning does not replace TLS. It adds a stricter validation step on top of it.

The application stores a known identity

The pinned value is usually one of these:

  • A specific server certificate
  • A certificate fingerprint
  • A public key
  • A hash of a public key
  • A small backup set of approved keys

In practice, public key pinning is often more flexible than pinning a whole certificate, because certificates may rotate more often than the underlying key.

The client performs normal TLS validation

When the app connects to the server, it still performs the standard TLS checks:

  • Is the certificate chain valid?
  • Does the hostname match?
  • Is the certificate within its validity period?
  • Is the issuing authority trusted?

If those checks fail, the connection fails.

The app compares the certificate or key to the pinned value

If the TLS checks pass, the app then compares what it received from the server with the value it has pinned.

If it matches, the connection continues.

If it does not match, the app rejects the connection, even if the certificate would normally be considered valid by the operating system or browser.

Why certificate pinning is used

The main reason to use certificate pinning is to reduce trust in the broader public certificate authority ecosystem.

Without pinning, a client may accept any valid certificate for the domain as long as it chains to a trusted root. With pinning, the app can reject unexpected certificates even if they are technically valid.

This can help defend against scenarios such as:

  • A rogue or compromised CA issuing an unexpected certificate
  • A hostile network attempting TLS interception
  • A device with an unapproved root certificate installed
  • A man-in-the-middle setup that presents a valid but unexpected certificate

That said, certificate pinning is not a general fix for all TLS problems. It is a narrower control for specific trust concerns.

Common types of certificate pinning

Certificate pinning

This approach pins the exact server certificate or its fingerprint.

It is straightforward, but it can be fragile. If the certificate changes during routine renewal, the application may stop working unless it is updated in time.

Public key pinning

This approach pins the server’s public key or a hash of it.

It is often more practical because the certificate can be renewed without breaking the client, as long as the same key is still used.

Backup pinning

Some apps pin a primary key and one or more backup keys.

This helps avoid outages if the primary certificate or key needs to be replaced unexpectedly.

When you will encounter certificate pinning

You are most likely to encounter certificate pinning in:

  • Mobile app security
  • Banking or healthcare apps
  • High-security API clients
  • Reverse engineering and traffic inspection work
  • Enterprise environments using HTTPS inspection

Common examples include:

Mobile applications

A mobile app may pin its backend API certificate or public key so the app will not trust an unexpected certificate, even on a hostile or intercepted network.

Sensitive client applications

Apps handling financial, healthcare, or other regulated data may use pinning to reduce the chance of trusted-but-unwanted certificates being accepted.

Proxy and debugging conflicts

Security testers and developers often run into certificate pinning when trying to inspect application traffic through an intercepting proxy. The proxy certificate may be valid locally, but the app still rejects it because it does not match the pinned identity.

Enterprise inspection environments

Some organizations inspect HTTPS traffic with trusted proxy certificates. Certificate-pinned apps may fail in these environments because they are designed not to trust replacement certificates.

Benefits of certificate pinning

When implemented carefully, certificate pinning can provide:

  • Stronger control over which server identities are trusted
  • Better resistance to some TLS interception scenarios
  • Reduced exposure to unexpected CA-issued certificates
  • Added protection for controlled client-to-server communication

It is most useful where the application talks to a known set of backend services and the operator can manage certificate lifecycle carefully.

Risks and limitations of certificate pinning

Certificate pinning has real tradeoffs.

Operational fragility

If the certificate or key changes unexpectedly and the app is not updated, legitimate connections can fail. This can create outages for users.

Harder certificate rotation

Routine certificate renewal becomes more sensitive, especially if the app pins a leaf certificate instead of a public key.

Problems with debugging and inspection

Pinning can interfere with troubleshooting, QA testing, and legitimate HTTPS inspection used for enterprise security monitoring.

Limited value if poorly managed

If backup pins are missing or update processes are weak, pinning may increase operational risk more than it improves security.

Because of these tradeoffs, many teams use certificate pinning selectively rather than by default.

Certificate pinning vs normal TLS validation

Normal TLS validation asks:

  • Is this certificate valid for the host?
  • Does it chain to a trusted root?

Certificate pinning asks an additional question:

  • Is this the exact certificate or key this application was designed to trust?

That extra step is what makes pinning stricter than ordinary browser-style trust.

Should most teams use certificate pinning?

Not always.

Certificate pinning can make sense when:

  • The app is tightly controlled
  • The backend services are well known
  • Certificate lifecycle is managed carefully
  • The threat model includes hostile or intercepted networks

It may be less attractive when:

  • Certificates rotate frequently
  • Operational flexibility matters more
  • Enterprise inspection is required
  • The team cannot reliably manage backup pins and updates

For general users and small teams, strong basics usually matter more first: good password hygiene with tools like Try 1Password →, endpoint protection such as Get Malwarebytes →, and secure remote access habits. If you use public Wi-Fi often, a VPN like Check NordVPN pricing → or Try Proton VPN → can improve privacy in transit, though it is not a substitute for proper TLS validation inside an app.

Final takeaway

Certificate pinning is a technique that limits which certificates or keys an app will trust for a specific server or service. It adds a stricter layer on top of normal TLS validation so an app accepts only expected identities, not just any certificate the system trust store would allow.

That can reduce some man-in-the-middle and rogue certificate risks, but it also creates operational overhead. In practice, certificate pinning is most useful when the client and backend are tightly controlled and the organization can manage certificate and key changes carefully.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.