# Certificate pinning
# Calculating the certificate pin
To calculate the certificate pin, you need to have the certificate. If you do not have the certificate, then you can get it by going to the URL in your web browser. Then, use your browser to download the certificate.
# PEM format
If the certificate is in PEM format, then you can calculate the hash with OpenSSL as follows:
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# DER format
If the certificate is in DER format, then you can calculate the hash with OpenSSL as follows:
openssl x509 -in certificate.der -pubkey -noout -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# How to set it up
You can support TLS/SSL certificate pinning with Encap by setting publicKeyHashes
, which is located in EncapConfig
. This is an array of public key hashes.
This property holds hashes of public keys in the certificate chain sent from the server to trust, in the format <hash algorithm>/<base64-encoded public key hash>
.
This is the same as Chrome's format, for example:
sha256/i0qJOVXOc4mzxbcTUS21+wjE4IeaBTBA+cWy88Q34UU="