Error Guides

Certificate Pinning Failure Explained

Certificate pinning failures occur when an app or browser rejects a certificate that doesn't match a known-good value. Learn what pinning is and how to debug failures.

Certificate pinning is a security technique where an application hardcodes one or more expected certificate properties (typically the public key hash or full certificate hash) and rejects any TLS certificate that doesn't match — even if it's validly signed by a trusted CA. A pinning failure occurs when the presented certificate doesn't match the pinned value.

Types of Pinning

  • Certificate pinning: The app expects an exact certificate. Brittle — breaks every time the certificate is renewed.
  • Public key pinning (SPKI pinning): The app expects a specific public key. More flexible — a new certificate with the same key pair passes. But still breaks if you rotate keys.
  • CA pinning: The app accepts any certificate from a specific CA. Less strict but more maintainable.

HTTP Public Key Pinning (HPKP) Is Dead

Chrome and Firefox deprecated and removed the HTTP Public Key Pinning (HPKP) response header mechanism in 2018. HPKP allowed sites to set pinning policies via HTTP headers, but implementation errors led to sites permanently locking themselves out. The only surviving form of public-key pinning in browsers is the built-in preloaded pins for major sites (Google, Mozilla).

Common Causes of Pinning Failures

  • Mobile app has hardcoded pins that are now stale after certificate renewal
  • Intercepting proxy (corporate HTTPS inspection) presenting its own certificate
  • Certificate was renewed with a new key pair, breaking public-key pins
  • CDN/load balancer is presenting a different certificate than the origin

How to Diagnose

Paste the certificate the app received into the decoder and compare its fingerprint and public key information against the pinned values in the app. For mobile apps, check the app's bundled public key hashes or certificate files.

How to Fix It

Update the pinned values in the application to match the current certificate or public key. For future deployments, implement a backup pin (a second pinned value that can be activated when the primary expires) and update pins well before renewing certificates.

Ready to inspect a certificate?

Use the free decoder to decode any PEM certificate and see all fields including sans, fingerprints, validity dates, and extensions.

Decode a Certificate