Certificate Pinning lets you specify one or more SHA‑256 fingerprints of certificates that must appear in the server’s TLS chain. LanceX can pin either the leaf certificate or a CA certificate (intermediate or root) present in the verified chain.
The Hash
- It can be computed over the certificate’s DER bytes (the exact ASN.1 encoding in
x509.Certificate.Raw). - It is the same as HPKP’s algorithm, which is computed over the public key information.
Mechanism
- If the hash matches the leaf certificate, it will be accepted immediately.
- If the hash matches a root or intermediate certificate, the application will verify all certificates between it and the leaf.
English 
Chinese