Introduce

HTTP Public Key Pinning (HPKP), sometimes incorrectly known as certificate pinning, is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.

Cac. PKP

OpenSSL cac. PKP

Cac. website certificate PKP:

$ echo | openssl s_client -connect github.com:443 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -inform pem -pubkey -noout | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
openssl enc -base64

Cac. certificate PKP:

$ cat cert.pem | \
openssl x509 -inform pem -pubkey -noout | \
openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | \
openssl enc -base64

Sample

Github:

$ curl -I https://github.com/
HTTP/1.1 200 OK
Server: GitHub.com
......
Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="; includeSubDomains
......

Reference

  1. https://tools.ietf.org/html/rfc7469 - Public Key Pinning Extension for HTTP