• "Pinned certificate (public key) SHA-256" values now only match against the leaf certificate.
  In the past, it was extended to extra non-leaf certificate verification logic only for the compatibility with other software, but this causes unexpected and dangerous verification bahavior. You may not be able to copy and paste the hash value from such software and expect it to work now. Pinning the leaf certificate is not affected.