Question re:HPKP


#1

Trying to learn more about HPKP (pinning) and wondering something. Since the LE certs are only good for three months at a time, will the “fingerprint” need to be replaced in the server header for the PUBLIC-KEY-PINS header values every three months also? If so, that’s kind of a pain…or do I still have more reading to do (lol)?


#2

Hi @mushu,

① It depends on which key you pin to, because you could for example pin to Let’s Encrypt’s key rather than your own key.

② We’ve added a --reuse-key option to Certbot which was originally largely intended for the pinning use case. In this case, the public key of your certificate won’t change when you renew. This is also the case if you obtain a certificate using a CSR and you re-use the same CSR. In that case, pins to your own key will still be valid after the new certificate is issued.

③ However, Google announced that they’re removing support for HPKP from Chrome entirely, so the impact of pinning will be reduced. (I’m not sure if it will be supported in any major browser in the future.)


#3

Hi @mushu

additional: You can pin the intermediate certificate. You can also pin the root certificate.


#4

Thank you for that info. I found the Chrome statement about removing HPKP support…


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.