Skip to main content

Certificate pinning

Certificate pinning is a security mechanism that associates a host with its certificate or public key. This ensures that your app only trusts specific certificates or public keys.

Are you a MobileID customer?

This feature is specific for Encap SCA customers. If you are a MobileID customer, then please see the MobileID Certificate pinning feature documentation.

Calculate the certificate pin

To calculate the certificate pin, you need to have the certificate. If you do not have the certificate, then you can get it by doing the following:

  1. Go to the URL in your web browser.
  2. Use your browser to download the certificate.
  3. Calculate the hash with OpenSSL using the appropriate method, depending on the format of the certificate:
    • PEM format: Calculate the hash with OpenSSL as follows:
    Example: Calculate the hash with OpenSSL
    openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
    • DER format: Calculate the hash with OpenSSL as follows:
    Example: Calculate the hash with OpenSSL
    openssl x509 -in certificate.der -pubkey -noout -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

How to set it up

You can support TLS/SSL certificate pinning with Encap by calling setPublicKeyHashes() on the config object, before setting the config on the controller.

  • You can add one or more certificate hashes from the web server's certificate chain before establishing a TLS/SSL connection.
  • Ensure that you add the algorithm used in front of the hash, separated by a /.
Example: Set up certificate pinning with Encap
controller.config = EncapConfig(
    // Configure required properties...
    publicKeyHashes = arrayOf("sha256/47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=")
)
On this page