HTTP Public Key Pinning (HPKP) – Windows Server IIS


To totally unlock this section you need to Log-in


Login

HPKP is another security mechanism that uses an HTTP header as protection against impersonation attacks with fraudulently issued certificates. To enable it on the server side, it’s required to add a special directive that contains hashes of public keys (pins) contained within certificates the server supplies via Certificate message. When browser with HPKP support receives such a header, it validates pins comparing them with the certificate chain.

If validation is successful, it associates the website with received pins. Since then, the connection should result in a non-recoverable error in case of pin validation failure during further connections.

Open “IIS Manager” and select the website you would like to apply HPKP for and then double-click on the “HTTP Response Headers” shortcut:

HTTP Public Key Pinning (HPKP) - Windows Server IIS

  • Click on “Add” in the right side of “Actions” menu.
  • Enter “Public-Key-Pins” in the “Name” field.
  • Calculate SPKI digest using SHA-256 hash function with Openssl or using the online calculator.

Enter the string as below in the “Value” field:

pin-sha256=”SPKI_digest#1"; pin-sha256="SPKI_digest#2"; max-age=31536000

You need to replace “SPKI_digest#1” with the SPKI digest (pin) computed using SHA-256 over one of certificates the server currently sends during SSL/TLS.

You need to replace "SPKI_digest#2" with the SPKI digest (pin) computed using SHA-256 over one of certificates in your backup certificate chains.

REMEMBER: Backup pin is an obligatory requirement.

Max-age directive specifies time (in seconds) during which after reception of HPKP header field a client application treats the host (from whom the message was received) as a known HPKP host. In simple words, it’s time a browser should keep “HPKP” cookies and perform HPKP validation using pins received in the header initially.

Example:

pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE="; max-age=31536000

HTTP Public Key Pinning (HPKP) - Windows Server IIS

Optionally you can add “includeSubDomains” in “Value” field if you would like to apply HPKP policy for subdomains of your domain name as well as for the main domain name.

If you would like to include it, “includeSubDomains” directive should be added in the end of the string and delimited with a semicolon:

pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE="; max-age=31536000; includeSubDomains

Click "OK".

Backup Pins

The primary way to cope with the risk of inadvertant Pin Failure is to keep a Backup Pin. A Backup Pin is a fingerprint (SHA256 digest) for the public key of a secondary, not-yet-deployed key pair.

The operator (the business company who owns the web server protected by SSL certificate) keeps the backup key pair offline, and sets a pin for it in the Public-Key-Pins header.

Then, in case the operator loses control of their primary private key, they can deploy the backup key pair. UAs (UserAgents - internet browsers), who have had the backup key pair pinned (when it was set in previous Valid Pinning Headers), can connect to the host without error.