Skip to content

Instantly share code, notes, and snippets.

@esurdam
Created July 12, 2016 07:31
Show Gist options
  • Save esurdam/ef72f1c47be7c074499cb920683bd307 to your computer and use it in GitHub Desktop.
Save esurdam/ef72f1c47be7c074499cb920683bd307 to your computer and use it in GitHub Desktop.
Generate HKPK from pem encoded certs (letsencrypt, digicert, etc)

HPKP from .pem (letsecnrypt)

Generate from your letsencrypt certs.

HKPK (RFC7469) is a standard that tells browser to cache a certain TLS certificate’s signature, and validate that future visits use that certificate. Please read Extended Info as losing your pins may result in migraines (if you use your leaf) You can check or generate your hashes with this tool

letsencrypt renews your certificates every few months, so if you pin against your cert.pem and it changes (or you lose it), the browser will still expect to see the old one.

Quick fix? Pin the intermediate or root certificates.

If you took the time and read Extended Info you would know that this helps protect against others pretending to be you with a legitimate certificate issued from some trusted Intermediate/Root.

generate pins

You can download the intermediate certs from letsencrypt and pin against those, or locate your pem files, typically in /etc/letsecrypt/live/{{mydomain.com}}

chain.pem This will generate PKP hash for your CA (in our case, Let's Encrypt Authority X3)

openssl x509 -noout -in chain.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64

# Result
YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

lets-encrypt-x4-cross-signed.pem from letsecrypt

openssl x509 -noout -in lets-encrypt-x4-cross-signed.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64

# Result
sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=

Use the below only if you want to pin against your certificate.

cert.pem This will generate the PKP hash for your domain

openssl x509 -noout -in cert.pem -pubkey | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
base64

# Result example 
klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=

nginx

To enable in nginx add the following directive, we will include all subdomaind and set expiry to

add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; max-age=2592000; includeSubDomains';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment