Certificate pinning is a way to tell clients what cert or CA they should be seeing when they connect to your website.
Resources to find out more about pinning are included below:

  • https://tools.ietf.org/html/draft-ietf-websec-key-pinning
  • http://www.imperialviolet.org/2011/05/04/pinning.html
  • http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

    This tool builds upon the go implementation of cert pinning in the key-pinning draft.


    Example Output

    Certificate Pin created for www.google.com

    To install in Chrome:

    Go to chrome://net-internals/#hsts to manually add it to your chrome install

    sha1/PH28jUH5JV3EJIKi5wVf64OTZK4=

    To use on your website:

    Add to your website's headers using a method similar to HSTS (HTTP Strict Transport Security).
    You MUST have a backup pin if you are using this method, otherwise, the browser will ignore the pin attempt.
    You should get either a backup certificate, or the CA's cert that signs your server certs and run it again below
    and add the line that starts with pin-sha256 into the headers you are sending to your clients.

    Public-Key-Pins: max-age=31536000;
     pin-sha256="dhPKqMNshz05+vFbUc5C2HmcXReO04Fi+LtdzlydVD0=";

    To use in your Android app using Moxie's AndroidPinning library:

    ...
    PinningTrustManager(new String[] {"63f1353dd35fe084d20627b7861320d02aa18f14"});
    ...


    Creative Commons License
    CertPins by is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
    Based on a work at https://github.com/cem-/certpins.