HPKP works off the SPKI (public key hash), not the certificate. That's why you can generate the hash from the private key file before you even generate a CSR. As long as you don't regenerate your site's private key, you don't need to do staggered key rollovers with 90 day limits, you can push that out to nicer, longer timeframes.
I asked in #letsencrypt
this morning whether the letsencrypt-renewer
script would default to regenerating the private key each time, or keep it and re-submit the prior CSR. I'm told right now the idea is regenerate by default -- but there should be a config parameter to change to re-using the existing CSR/private key. Clearly that's what you and I want to turn on.
Having a backup key is still extremely critical for compromise recovery, so it's still something that should have great care taken in implementation.
I guess what I mean to say is, there's nothing about short-lived certs that stops you from using HPKP, but it does mean we have a distance to go on tooling before we can reach admin nirvana.