Activating HTTP Public Key Pinning (HPKP) on Let's Encrypt
- Disclaimer: This might break your website, don't preceded if you don't know what you're doing.
Since the letsencrypt seems to create a new private key every time the certificate is renewed and Let's Encrypt requires you to renew you certificate once every ~80 days pinning using your certificate's SPKI is probably not the way to go. So, what should we pin then? Let's Encrypt is currently issuing from Authority X3, and using Authority X4 as a backup, so these two is a great place to start. We should also include the ISRG Root so this might support new Authorities with other SPKIs as well.
Generate HASH of Private Keys
To generate the hash of the SPKI of these certificates run the following commands