The Trust Problem Pinning Solves
Normal TLS trusts any certificate signed by any certificate authority in the device trust store. If one of those hundreds of authorities is tricked or compromised, an attacker can mint a valid looking certificate for your domain.
Certificate pinning narrows that trust. The client ships with a copy, or a hash, of the exact certificate or public key it expects. During the handshake it rejects the connection unless the server presents the pinned value, even if a different certificate is otherwise valid.
Pinning Choices and Pitfalls
- Pin the public key rather than the full certificate so renewals do not break the app.
- Always ship a backup pin so you can rotate keys without locking users out.
- Pinning is most valuable in mobile apps where you control the client.
The risk is operational: a botched key rotation with no backup pin can brick every client until an update ships.
Key idea
Certificate pinning replaces broad trust in every authority with trust in one expected key, blocking forged certificates, but it demands backup pins and careful rotation to avoid locking out clients.