Skip to Content
Getting StartedProject Setup

Project Setup

Set up your TrustPin project and configure certificate pinning for your mobile application.

Prerequisites

Before you begin, ensure you have:

  • A TrustPin account (Sign up )
  • Access to your server’s SSL certificates
  • Admin access to your domains
  • A mobile application (iOS, Android, or Flutter)

Step 1: Create Your Account

Sign Up / Sign In

  1. Visit app.trustpin.cloud 
  2. Click Sign In or Start Free Trial.
  3. Sign in using Google, GitHub, or create an account.
  4. After signing in, you’ll be taken to the TrustPin Dashboard.

Step 2: Create a Project

Projects organize your certificate pinning configurations by application.

Create New Project

  1. From the dashboard, click Create a new project
  2. Enter your project details:
    • Organization: If you belong to multiple organizations, select the one for this project.
    • Project name: e.g., “MyApp (Testing)”
  3. Click Next
  4. Select a type of Key Management and then click Next. You can choose between:
    • Cloud Managed Key: Keys are created in your browser and encrypted with a password. The encrypted keys are stored server-side and can only be decrypted with your password. This option is especially useful for development and testing environments.
    • Bring Your Own Key: Create and store an ECDSA P-256 key that is never uploaded. When required, use our CLI tool to sign your configurations locally and securely. The recommended choice for production applications.
    • FIDO Protected Keys: An alternative to Cloud Managed Keys with FIDO protection.
  5. This next step depends on the selected key management type.
  6. After key management selection, enter a list of domains and/or sub-domains separated by comma.
  7. Click Create project

Cloud Managed Key

  1. Enter your master password. This password will be used to sign your project’s configuration. Store it securely.
  2. The generated public key corresponds to a private key generated in your browser.
  3. Click Next.

Bring Your Own Key

  1. Assign your key a Key ID.
  2. Generate the key pair using the suggested code.
  3. Copy the public key in PEM format where it’s required.
  4. Don’t forget to safely store your keypair, and never share the private key.
  5. Click Next.

FIDO Protected Keys

  1. Carefully review and acknowledge the implications of using FIDO.
  2. Mark the checkbox acknowledging the use of FIDO.
  3. Click Next and continue with the project setup until FIDO authentication is required.

Project Credentials

For any given project you will have:

  • Organization ID: Your organization identifier
  • Project ID: Unique project identifier
  • Public Key: Base64-encoded ECDSA P-256 public key for signature verification

Important: You’ll need these to initialize the SDK. None of these three elements are considered sensitive information.

Step 3: Add Domains

Configure the domains your application will connect to.

Add a Domain

  1. Navigate to your project
  2. In the workflow steps on the left side, click Set up domains
  3. Click Add domain
  4. Enter your domain: 
    api.example.com
  5. Click Add Domain

Domain Configuration

Click Edit to modify domains and their certificates. For each domain, you can add one or more certificates (for example, current and future certificates).

To add a new certificate to a domain, click Add Certificate. You can delete a specific certificate by clicking Delete in its box, or remove the entire domain by clicking Delete domain.

Each certificate can include the following fields:

  • Expiration: When this certificate expires. If left blank, it will not expire.
  • Fingerprint and SPKI: Information about the leaf certificate
  • Issuer: Who issued this certificate
  • Serial Number (optional): Serial number of the certificate
  • Certificate Transparency Logs

At least one of the following should be defined in order to have a valid configuration:

  • SHA256 fingerprint
  • SHA512 fingerprint
  • SPKI SHA256
  • SPKI SHA512

Certificate fingerprint has precedence over SPKI info. For example:

  • If you define the four fields, the SDK will do SHA256 fingerprint first.
  • If you define one fingerprint and one SPKI, the SDK will test the fingerprint first.
  • If you want to use SPKI, do not specify either SHA256 or SHA512.

Important: After making any changes, click Apply changes. These changes will be saved locally and not sent to devices. Your configuration reaches users’ devices only when you publish your configuration.

Pinning Methods

MethodWhat’s PinnedUse CaseRecommended
SPKI SHA-256Subject Public Key InfoAuto-managed certificates (ACM, Let’s Encrypt)Preferred
SPKI SHA-512Subject Public Key InfoHigh-security apps with auto-managed certs✅ Yes
Leaf SHA-256Full certificate fingerprintManually managed certificatesWhen needed
Leaf SHA-512Full certificate fingerprintHigh-security apps with manual certsWhen needed

Why SPKI Pinning is Preferred

SPKI (Subject Public Key Info) pinning is the recommended approach, especially for certificates managed automatically by services like AWS Certificate Manager (ACM) or Let’s Encrypt:

Advantages of SPKI Pinning:

  • Survives certificate renewal: Pin remains valid when certificate is renewed with the same key pair
  • Zero-downtime rotation: No need to update pins when certificates auto-renew
  • OWASP recommended: Follows OWASP Mobile Security Testing Guide best practices
  • Less maintenance: Ideal for automated certificate management systems

When to Use Leaf Certificate Pinning:

  • You manually manage certificates and want stricter validation
  • You need to pin the entire certificate chain
  • Compliance requirements mandate full certificate fingerprinting

For AWS ACM, Let’s Encrypt, and other auto-renewal systems, always use SPKI pinning to avoid service disruptions when certificates automatically renew.

Hash Algorithm Selection

AlgorithmSecurity LevelPerformanceRecommended Use
SHA-256High (256-bit)Fast (~1-5ms)✅ Most applications
SHA-512Very High (512-bit)ModerateBanking, healthcare, government

Recommendation: Use SPKI SHA-256 for most applications. Upgrade to SPKI SHA-512 only if your security requirements specifically mandate stronger cryptographic guarantees.

Step 4: Publishing configuration

  1. In the workflow steps on the left side, click Publish config. This page provides an overview of your project status.

You can see the public key and the configuration file hosted on the CDN. The online configuration file has the information used by the SDK in your application to do certificate pinning.

When your project configuration differs from the online version, you can publish the new changes. After reviewing the configuration, click Publish.

Publishing the configuration may be disabled in the web dashboard if you selected Bring Your Own Key (BYOK). Remember that BYOK should be used alongside the CLI to sign configurations.

For Cloud Managed Keys and FIDO Keys click on Publish. Your master password or FIDO key will be required. After that, your configuration file will be updated.

Step 5: SDK Integration

Integrate TrustPin into your mobile application.

Choose Your Platform

Select the appropriate SDK for your platform and follow the instructions:

Best Practices

Security

  1. Never commit credentials to version control
  2. Use environment variables for sensitive data
  3. Enable strict mode in production
  4. Rotate pins before expiration
  5. Monitor pin validation failures

Configuration Management

  1. Separate projects for each environment
  2. Document domain configurations
  3. Keep certificates up to date
  4. Test in staging before production
  5. Use version control for configuration

Development Workflow

  1. Start with permissive mode during development
  2. Test all API endpoints with pinning enabled
  3. Validate configurations in staging environment
  4. Switch to strict mode before production release
  5. Monitor logs for issues

Troubleshooting Setup

Cannot Create Project

Issue: Project creation fails

Solutions:

  • Check account permissions
  • Verify email is confirmed
  • Contact support if issue persists

Invalid Credentials Error

Issue: SDK initialization fails with INVALID_PROJECT_CONFIG

Solutions:

  • Verify Organization ID is correct
  • Check Project ID matches dashboard
  • Ensure Public Key is properly base64-encoded
  • Remove any whitespace from credentials

Certificate Upload Fails

Issue: Certificate upload returns error

Solutions:

  • Verify certificate format (PEM, DER, etc.)
  • Check certificate is valid (not expired)
  • Ensure certificate matches domain
  • Try uploading via different method (file vs paste)

Domain Not Accessible

Issue: Cannot add domain to project

Solutions:

  • Verify domain ownership
  • Check DNS is configured correctly
  • Ensure domain uses HTTPS
  • Verify firewall allows access

Next Steps

After completing setup:

  1. Deploy Your Application
  2. Learn How Certificate Pinning Works
  3. Explore CLI Tools
  4. Review Troubleshooting Guide

Support

Need help with setup?

OverviewDeployment