HPKP best practices if you choose to implement


#21

No, you can just have the public key signed by any CA whenever you decide to and the advantage is, that even if these keys are stolen, they are unusable before they certificate is issued.

However, this is not entirely correct. You should always also include a key, that you plan on using after your key expires. Changing key after it expires will look to browsers as an attack, so if you don’t have an additional key added, you will be forced to reuse your key, which is a terrible security practice.