Certificate pinning
Our certificate pinning feature gives applications additional security, as it guarantees that the Encap SDK only communicates with a trusted Encap server. By authenticating the client-server connection, it reduces the risk of man-in-the-middle (MITM) attacks.
This feature is specific for Encap SCA customers. If you are a MobileID customer, then please see the MobileID Certificate pinning feature documentation.
How does certificate pinning work?
- The Encap SDK has to be configured with the hashes of the public keys in the certificate chain sent from the server that is trusted.
- The Encap SDK compares the server's certificate with the configured hashes of public keys (
publicKeyHashes). - The client only allows communication with the server if the certificate and
publicKeyHashesmatch.
Calculate the certificate pin
To calculate the certificate pin, you need to have the certificate. If you do not have the certificate, then you can get it by going to the URL in your web browser. Then, use your browser to download the certificate.
PEM format
If the certificate is in PEM format, then you can calculate the hash with OpenSSL as follows:
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
DER format
If the certificate is in DER format, then you can calculate the hash with OpenSSL as follows:
openssl x509 -in certificate.der -pubkey -noout -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
How to configure certificate pinning
You can support TLS/SSL certificate pinning with Encap by setting publicKeyHashes, which is located in EncapConfig. This is an array of public key hashes.
This property holds hashes of public keys in the certificate chain sent from the server to trust, in the format <hash algorithm>/<base64-encoded public key hash>.
This is the same as Chrome's format, for example:
sha256/i0qJOVXOc4mzxbcTUS21+wjE4IeaBTBA+cWy88Q34UU="