Enable Public Key Pinning on Apache2

How to enable Public Key Pinning Extension for HTTP (HPKP) on Apache2. HPKP tries to detect MITM attacks with valid certificates. The first time a browser visits a HPKP enabled website, it stores the hash from the public key. For all subsequent TLS connections, the received key against is checked against the stored key.

How to enable HPKP on Apache2?

Calculate the sha256 hash for the public key

In this example I’m using the certificate as a base to extract the public key.

$ openssl x509 -in www_rivy_org.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=

Add configuration statement to correct vhost

To add the HPKP header, I’ve added the following line to the correct vhost definition.

Header always set Public-Key-Pins "pin-sha256=\"VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=\"; max-age=5184000"

Verify HPKP

You can verify on SSL Labs. After scanning the website, look for the following in the output.

Public Key Pinning (HPKP) : YES

Click here for the full output of this webserver.

2 thoughts on “Enable Public Key Pinning on Apache2

  1. Pingback: HPKP with Letsencrypt certificates - Thomas Elsen Security Blog

  2. Mesut

    Thank you for such a great tutorial. But what about the backup pin? How should we set it, could you also explain about it?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *