The only foolproof way to get around this is to hardcode the certificate into the application itself, or at least the intermediate chain. Otherwise, you could have always intercepted the first request and made that the certificate of record.