your app would download the new certificate from an endpoint which returns the new certificate signed with the old one that you currently pin?