2015-11-18 19:45 GMT+01:00 Bryan Talbot <bryan.tal...@ijji.com>: > AFAIK, HPKP is only somewhat supported by only the most recent browser > releases. I believe that it's also ignored by them for certificates which > are self-signed or signed by a CA that is not in the browsers system-defined > CA set. Probably doesn't cause your issue but who knows -- it is still > experimental.
There is also one more detail people often miss about HPKP. In order for HPKP to work, you MUST have a backup pin, that is a pin for a certificate that is offline. That means at least two pins, otherwise this whole header is ignored. See RFC7469 section 2.5. Also use tools in browsers, like Chrome net internals, to verify that it is correctly noted by the browser. -- Janusz Dziemidowicz
