use the below terminal command to generate a SHA256 hash of the SPKI (subject public key info) section of the certificate... which pins to not only the public key but also the algo etc.
pinning to just the public key is insecure, and pinning to certificates as a whole doesn't allow for the ability to refresh certificates while utilizing the same public key.
the point of this is to specify that only specific CAs are allowed to issue certificates for your domain, to protect against bad actors compromising some trusted root CA and issuing "valid" certificates for your domain.
added the ability to pin SPKI hashes
use the below terminal command to generate a SHA256 hash of the SPKI (subject public key info) section of the certificate... which pins to not only the public key but also the algo etc.
openssl x509 -in /path/to/root/cert.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64pinning to just the public key is insecure, and pinning to certificates as a whole doesn't allow for the ability to refresh certificates while utilizing the same public key.
the point of this is to specify that only specific CAs are allowed to issue certificates for your domain, to protect against bad actors compromising some trusted root CA and issuing "valid" certificates for your domain.