Since you already support checking for [HPKP](http://caniuse.com/publickeypinning), how about OCSP must-staple? https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
