Certificate pinning: why the governance trade-off no longer works

TL;DR: Certificate pinning can reduce exposure to misissuance and man-in-the-middle attacks, but it also creates brittle recovery paths when keys, issuers, or certificates must change, according to DigiCert. The core issue is that pinning trades flexibility for a security promise that is hard to sustain across real certificate lifecycles.

NHIMG editorial — based on content published by DigiCert: Stop Certificate Pinning

By the numbers:

• Only 38% have automated certificate lifecycle management in place.

Questions worth separating out

Q: What breaks when certificate pinning is not paired with a recovery path?

A: The biggest failure is that clients can keep rejecting valid replacement certificates after revocation, issuer changes, or key compromise.

Q: When does certificate pinning create more risk than it reduces?

A: It becomes riskier when the environment changes faster than client updates can be deployed.

Q: What do security teams get wrong about certificate pinning?

A: Teams often treat pinning as a simple hardening layer, when it is really a trust governance decision with operational consequences.

Practitioner guidance

• Inventory pinned trust dependencies Identify where public keys, certificate authorities, or end-entity certificates are hard-coded in apps, browsers, firmware, or mobile clients.
• Test certificate replacement paths Run controlled change exercises for revocation, issuer replacement, and intermediate rollover so you know which clients can accept new certificates without redeployment.
• Prefer replaceable trust chains Use trust designs that allow rotation without embedding long-lived pins, and limit the number of systems dependent on any one intermediate or issuer.

What's in the full article

DigiCert's full post covers the operational detail this post intentionally leaves for the source:

• How HPKP failure modes played out in browsers and applications after pinning was introduced.
• The specific intermediate CA replacement schedule and how shorter lifetimes change certificate handling.
• Why shorter intermediate validity periods reduce the practical incentive to pin a CA chain.
• The certificate bucketing effect that limits how many issued certificates are affected by a future deprecation.

👉 Read DigiCert's analysis of why certificate pinning creates recovery risk →

Certificate pinning: why the governance trade-off no longer works?

Explore further

View Full Forum →  |  NHI Foundation Course →