Extract the SubjectPublicKeyInfo (SPKI) bytes from both the active leaf certificate and the next planned certificate; compute SHA256 of each SPKI and Base64-encode the hashes
Embed both hashes in the mobile app's network configuration: in Android, configure a network-security-config.xml with a <pin-set expiration> element containing both <pin digest='SHA-256'> entries; on iOS, configure NSPinnedDomains in the Info.plist with the same pair of hashes
Release the app update containing both the current and backup pins before rotating the server certificate
Confirm adequate adoption of the updated app version (ideally majority of active users) before rotating the certificate on the server
After server certificate rotation, verify that clients using the updated app connect successfully using the backup pin as the new active pin
Plan the next rotation cycle with a new backup pin before the current certificate's expiry, maintaining the two-pin overlap pattern
Known gotchas
Pinning the leaf certificate rather than the SPKI means every certificate renewal breaks pinning even if the same key pair is reused; always pin the SPKI hash to decouple pinning from certificate issuance cycles
If the server certificate rotates before the app update containing the backup pin reaches sufficient user adoption, all users running the old app version will experience connection failures with no server-side mitigation available
Android's network-security-config expiration date on a pin-set causes the OS to disable pinning after that date; omitting or setting an overly permissive expiration date reduces security; setting it too aggressively causes unexpected enforcement lapses
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp