Certificate pinning

Achim Gratz Stromeko at nexgo.de
Mon Nov 8 19:21:37 UTC 2021

Hal Murray via devel writes:
>> That doesn't do pinning, it reduces the source of trust anchors to just a
>> single one. 
> Thanks.  Would you please give me a lesson (or pointer to one) on this area.


> Does pinning work with a typical cert-chain that I get from a server?  If so, 
> where to I get the certificate that I'm looking for?

Most certificate chains you will encounter for public systems have at
least one intermediate.  You probably should pin both the intermediate
and the root certificate, but continue to validate both.  If you put the
trust anchor at the intermediate, any certificate validation stops there
(and if the chain has alternates they won't be checked either of

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Samples for the Waldorf Blofeld:

More information about the devel mailing list