Pinning of Certificates and Public Keys

What Is HTTP Public Key Pinning?

Public key pinning lets you define which public keys are valid for future SSL/TLS connections to your host. This extension is based on the HTTP transfer protocol. What makes it unique is that the connecting client only learns which public key is trusted for establishing a connection at the moment of first contact. For this reason, HTTP public key pinning is also known as "trust on first use". The verified encryption -- called a pin -- gives the mechanism its name. A critical detail is that the generated pins are stored in the client's HTTP header for a specified period of time.

When the client attempts to reconnect, the certificate chain is verified again. This verification process, known as pin validation, is a central aspect of pinning and functions much like a digital signature.

How Does Pinning Work?

Public key pinning makes your SSL connection significantly more secure through SSL certificates. Its purpose is to reliably detect when the public key of a host's certificate changes -- for example, if an attacker compromises the Certification Authority.

Once an SSL connection is established, the browser uses HTTP public key pinning to check the stored pin for the hostname. This allows it to verify whether the SPKI fingerprints within the certificate chain are correct. If verification fails, the connection is terminated immediately. If you choose not to use HTTP public key pinning, the connection is still established regardless.

The Steps Involved in Pinning

The process follows these steps:

• Generate a private key -- both a primary and a backup key.
• Create the CSRs (Certificate Signing Requests) for both private keys.
• Generate the SPKI fingerprints for both public keys.
• Adjust the virtual host configuration.
• Perform the pinning of the public keys.

Proper encryption and a digital signature are essential when working with digital data. This is especially true when you access data on the go or transmit it remotely. In such cases, the entire transmission path must remain secured end to end.

Using Pinning Securely

The pinning method is considered a secure way to explicitly define which certificates a website accepts for encrypted connections. Setting aside the TOFU limitation, this approach can resolve the trust problem inherent in public key infrastructure. The browser knows which domain was requested and which certificates are acceptable for it. As a result, if the server presents an unrecognized certificate, the connection is rejected immediately.

Watch Out for Pitfalls in the Details

This approach can also have its pitfalls. For example, if your website can no longer use the certificates associated with the communicated pins, the browser will reject your connection attempts. You would then be unable to access the website until the pin information expires.

For this reason, it is important to carefully weigh the benefits of HTTP public key pinning against the risks. If you pin your own certificates, you must continuously verify the delivered header. Beyond securely managing and storing your pins, you need a rolling renewal process that regularly tests and validates them. A mechanism using a Public-Key-Pins-Report-Only header is well suited for this purpose: the system does not strictly enforce the policy, but it does notify you of potential violations.

Risks of Pinning

HTTP public key pinning is not without risk. Before relying on this mechanism, you should evaluate whether pinning can be implemented reliably in your environment. The following risks may arise:

• If the key on the server changes, the app can no longer reach your backend. With regularly rotating keys or certificates, this can quickly become a serious problem.
• If you use an option like NS Pinned Leaf Identities, you pin a direct server key. This simplifies the process but requires that your key management is extremely secure.
• Exercise caution with managed cloud solutions as well. With ready-to-use API gateways, you rarely control the keys yourself. A typical example is the root CA certificates from Microsoft.
• Faulty configurations carry the risk of irrevocably locking you out as a website operator. For this reason, exercise particular care and entrust pinning to experienced specialists.

Despite This, Pinning Is Beneficial

Pinning offers advantages beyond the web -- it is also becoming increasingly important for mobile apps. It helps keep the risks associated with apps to a minimum. In the app context, you benefit from two key advantages: first, app providers often control both endpoints, and second, an independent recovery channel is available.

Conclusion -- Key Pinning Protects Against Malicious Certificate Authorities

HTTP Public Key Pinning (HPKP) provides a technology that solves numerous problems related to certificate authorities. It ensures that your website's users are connected to the correct domain, effectively ruling out forgery. You continue to receive cryptographic certificates from CAs as before.

The certification system has fallen into disrepute primarily because forged certificates were found in circulation at several certificate authorities. As a result, trust in this model is now limited. The underlying problem lies in common browsers: they automatically trust that hundreds of certificate authorities -- including their subordinate CAs -- issue only legitimate certificates.

HTTP Public Key Pinning addresses exactly this issue. The extension was largely developed by Google employees, who used a comparatively simple mechanism to improve the security of their HTTPS certificates: a pin sent along with a website's HTTP header. These cryptographic keys are issued as hashes and carry a time value, ensuring that browsers only accept connections where the certificate uses such pinning.

Another useful feature is the ability to specify a reporting URL that receives a notification when access occurs via a faulty certificate. If the browser receives an HTTPS connection without a valid pin and without a matching certificate, you receive a JSON-encoded error report.