The "ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN" error is a security-related issue that occurs when a web client (like a browser) receives an SSL certificate that does not match the expected public key pinned in its configuration. Public Key Pinning (HPKP) is a security mechanism used to prevent man-in-the-middle attacks by ensuring that only specific, trusted public keys are used in the SSL/TLS handshake.
Here's a detailed breakdown of what causes this error and how to fix it.
-
1) Misconfigured Public Key Pinning:
- If the server’s SSL certificate or its chain does not include the public key that was pinned by the client, the connection will be rejected.
- If the server’s SSL certificate or its chain does not include the public key that was pinned by the client, the connection will be rejected.
-
2) Certificate Changes:
- If the SSL certificate of a website is updated or changed without updating the pinned public key, clients with the old pin will reject the new certificate.
- If the SSL certificate of a website is updated or changed without updating the pinned public key, clients with the old pin will reject the new certificate.
-
3) Intermediate Certificate Changes:
- Changes in the intermediate certificate authorities (CAs) used by the server can also trigger this error if the new intermediates are not included in the pinning configuration.
- Changes in the intermediate certificate authorities (CAs) used by the server can also trigger this error if the new intermediates are not included in the pinning configuration.
-
4) Expired or Revoked Certificates:
- Using an expired or revoked certificate can result in this error if the pinned key is no longer valid.
- Using an expired or revoked certificate can result in this error if the pinned key is no longer valid.
-
5) Incorrect Pinning Configuration:
- Mistakes in the pinning configuration, such as pinning the wrong public key or not including backup pins, can lead to connection failures.
- Mistakes in the pinning configuration, such as pinning the wrong public key or not including backup pins, can lead to connection failures.
1) Update the Pinned Keys:
Ensure that the public keys used in your SSL certificates are correctly pinned. If you update your SSL certificates, make sure to also update the pinned keys in the client configuration.
2) Include Backup Pins:
When configuring HPKP, always include backup pins to avoid issues if the primary certificate needs to be replaced. This provides a fallback and prevents downtime.
🔹 http
Public-Key-Pins: pin-sha256="base64+primaryKey==";
pin-sha256="base64+backupKey==";
max-age=5184000;
includeSubDomains
3) Verify Certificate Chain:
Ensure that the entire certificate chain, including intermediates, is correctly configured and trusted by the client.
4) Test Configuration:
- Use online tools and services to test your HPKP configuration and ensure that it is correctly set up.
- SSL Labs offers a comprehensive SSL test that can help identify issues with certificate chains and pinning.
5) Monitor Certificate Expiry:
Regularly monitor the expiry dates of your SSL certificates and update them in advance to avoid issues.
6) Check for Revoked Certificates:
Make sure none of the certificates in the chain are revoked. Use tools like Certificate Transparency logs to check for revocation.
7) Review Browser and Server Logs:
Check the logs on both the client (browser) and server side to get more information about the error. This can help identify specific issues with the certificate chain or pinning configuration.
-
1) Regular Audits:
- Regularly audit your SSL/TLS configurations and pinning policies to ensure they are up-to-date and correctly implemented.
- Regularly audit your SSL/TLS configurations and pinning policies to ensure they are up-to-date and correctly implemented.
-
2) Automate Certificate Management:
- Use automated tools and services for managing SSL certificates to reduce the risk of human error and ensure timely updates.
- Use automated tools and services for managing SSL certificates to reduce the risk of human error and ensure timely updates.
-
3) Educate Your Team:
- Ensure that your development and IT teams are aware of the importance of HPKP and how to manage it correctly.
- By understanding the causes of the "ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN" error and following these steps to fix and prevent it, you can ensure a secure and reliable HTTPS connection for your users. If you need more help or have specific questions, don’t hesitate to contact our support team or consult relevant documentation and tools.
- Ensure that your development and IT teams are aware of the importance of HPKP and how to manage it correctly.