Public Key Pinning (HPKP) and inserting new pin-sha256 key into Apache site.config files

Hi all,

The HPKP validation fails over at when ever a new certificate is issued and the Pin SHA256 changes.

Is there automated option this is inserted into the “” everytime certbot renew is done?

Currently I have to update each site.config file and apply new sha256 associated to the renewed certs.


1 Like

certbot generates a new private key every time it obtains a new certificate.

If you want to pin the end-entity certificate you’ll have to generate your own private key and CSR and use certbot --csr to obtain your certificate (which also requires you to set up renewal manually on your own).

Alternatively, you could instead pin the active and backup intermediate certificates (Let’s Encrypt Authority X3 and Let’s Encrypt Authority X4) or the current and future root certificates (DST Root CA X3 and ISRG Root X1).

you should use a script to do this :smiley:

there is a framework for this

review the different types of pinnings here as what @Patches suggested is actually a very elegant solution


Thanks for the advise @Patches & @ahaw021 :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.