Generate from your letsencrypt certs.
HKPK (RFC7469) is a standard that tells browser to cache a certain TLS certificate’s signature, and validate that future visits use that certificate. Please read Extended Info as losing your pins may result in migraines (if you use your leaf) You can check or generate your hashes with this tool
letsencrypt renews your certificates every few months, so if you pin against your cert.pem and it changes (or you lose it), the browser will still expect to see the old one.
Quick fix? Pin the intermediate or root certificates.
If you took the time and read Extended Info you would know that this helps protect against others pretending to be you with a legitimate certificate issued from some trusted Intermediate/Root.
You can download the intermediate certs from letsencrypt and pin against those, or locate your pem files, typically in /etc/letsecrypt/live/{{mydomain.com}}
chain.pem This will generate PKP hash for your CA (in our case, Let's Encrypt Authority X3)
openssl x509 -noout -in chain.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64
# Result
YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
lets-encrypt-x4-cross-signed.pem from letsecrypt
openssl x509 -noout -in lets-encrypt-x4-cross-signed.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64
# Result
sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=
Use the below only if you want to pin against your certificate.
cert.pem This will generate the PKP hash for your domain
openssl x509 -noout -in cert.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64
# Result example
klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=
To enable in nginx add the following directive, we will include all subdomaind and set expiry to
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; max-age=2592000; includeSubDomains';