ASP.NET - Certificate Pinning for ASP.NET Apps

Certificate pinning is a security technique that ensures an application communicates only with a server that presents a specific, trusted certificate (or public key). Even if a certificate authority is compromised, pinned validation prevents attackers from using fake certificates to intercept traffic.

Why Certificate Pinning Is Used
HTTPS alone trusts many certificate authorities. If one is misused, attackers could issue a valid-looking certificate. Pinning reduces this risk by accepting only a known certificate or key, protecting sensitive data during communication.

Where Pinning Is Applied
Pinning is usually enforced on the client side when calling ASP.NET APIs, not inside the server request pipeline. Web browsers handle certificates automatically, but mobile apps, desktop apps and backend services can apply pinning logic when making HTTPS requests.

How Pinning Works
The client stores a copy (or hash) of the server’s certificate or public key. During the TLS handshake, the client compares the server’s certificate with the pinned value. If they don’t match, the connection is rejected immediately.

Things to Be Careful About
Certificates expire and are renewed. Pinning must be updated before expiry to avoid blocking valid traffic. A common practice is to pin multiple certificates or public keys so rotation does not break connectivity.

Why It Improves Security
Pinning protects against man-in-the-middle attacks, rogue proxies and compromised certificate authorities. It is especially useful for financial, healthcare and internal service-to-service communication.

Example (Client-side pinning when calling an ASP.NET API)

using System.Net.Http;
using System.Security.Cryptography.X509Certificates;

var handler = new HttpClientHandler();

handler.ServerCertificateCustomValidationCallback =
    (request, cert, chain, errors) =>
    {
        // Compare thumbprint with pinned value
        return cert?.Thumbprint == "PINNED_CERT_THUMBPRINT";
    };

var client = new HttpClient(handler);
var response = await client.GetAsync("https://api.example.com/data");

Behavior

  • Connection succeeds only if the certificate matches

  • Fake or unexpected certificates are rejected

  • Strong protection for secure ASP.NET API communication