Certificate Pinning

Certificate pinning is a security mechanism that binds a specific cryptographic identity (a certificate or public key) to a particular host, rejecting all other certificates even if they are signed by a trusted certificate authority (CA). This defends against sophisticated man-in-the-middle attacks where an attacker obtains a fraudulent but CA-signed certificate for the target domain -- whether through CA compromise, CA coercion by a state actor, or misuse of enterprise CA certificates installed on managed devices.

There are several approaches to certificate pinning: pinning the leaf certificate (most specific but requires updates on every certificate renewal), pinning the public key (survives certificate renewals as long as the key pair is reused), pinning an intermediate CA certificate (provides a balance between security and operational flexibility), and using backup pins to prevent lockouts during planned or emergency certificate rotations. The HTTP Public Key Pinning (HPKP) header was deprecated by browsers due to the risk of self-inflicted denial of service, but pinning remains important in mobile apps and server-to-server communication.

In practice, certificate pinning is most commonly implemented in mobile applications (iOS Trust Evaluation API, Android Network Security Configuration) and in server-to-server communication for critical API integrations. For web applications, Certificate Transparency (CT) logs and the Expect-CT header have largely replaced browser-side pinning. Server-side implementations in Node.js can use the checkServerIdentity option in TLS connections or the ca option in HTTPS agents to pin specific certificates.