HPKP nginx apache


HPKP nginx apache

To enable HPKP, you should create the base64 string:

From key file

openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

From csr file

openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

From crt file

openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

You need 2 pins. One primary, second for backup.


add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains';


Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"

Scoring A+ 100 100 100 100 on SSL Labs

SSL Labs 100%

Scoring A+ 100 100 100 100 on SSL Labs

If you like to get 100% and A+ on SSL Labs, with Apache and Nginx. You should set the following options:


SSLEngine on

SSLCertificateFile /etc/apache2/ssl/www_safematix_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_safematix_com.key

SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

SSLCipherSuite 'AES256+EECDH:AES256+EDH:!aNULL'


First you should create the dh (Diffie-Hellman) key file.

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;

ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;
ssl_trusted_certificate /etc/nginx/ssl/ca.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
add_header Strict-Transport-Security max-age=15768000; # six months

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";