SSL connection errors are part of day-to-day browsing. With HTTPS adoption well into the 90% figures across Google services, SSL-related bugs and application conflicts are inevitable. Managing SSL certificates can be tricky if you don’t adhere to the best practices. That’s why, as a website owner, you have to ensure proper SSL configuration.
In this article, we’ll cover the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error in Google Chrome, a pretty rare issue caused by incorrect key pinning. Due to its complexity, only website owners can fix this problem. Moreover, you should be well versed in the key pinning specifics. We highly recommend you stop pinning keys unless you’re an expert.
For website owners, the best solution to this problem is a preventive one. Don’t pin keys unless you 100% know what you’re doing.
In theory, HTTP public key pinning (HPKP) was a promising security feature, but it failed in practice and has been swiftly removed from many modern browsers. The idea was to link a particular cryptographic public key with a specific server to reduce the risk of man-in-the-middle attacks.
However, pinning the right key to the certificate isn’t straightforward as you have to pin your keys and the keys for the rest of your certificate chain, except the root whose keys are already included in root stores.
When users visit your site, their browsers use the public keys to verify the signature of the primary certificate and trace it back to the intermediate then root certificate to complete the SSL handshake. If just one key is miss-pinned, browsers will display the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error for Chrome, and its variants in other browsers.
Unless you work for a technologically advanced organization that pins keys for internal security protocols, the best advice we can give you is to not pin keys. Security experts advise against key pinning, but even if you tried to pin a key and ended up with an error on your website, the fix is simple. Reinstall your SSL certificate the proper way and enjoy bulletproof encryption. With the current SSL validity set at just one year, there’s no need to pin keys.
Unfortunately, if you face the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error as a user, you can’t do much about it. The best option is to contact the site owner and let them know about the issue. But as we don’t want to leave you without a fix, we’ll present a solution that will require you to submit the domain name that is causing the error to Delete domain security policies in Chrome.
- Open your Chrome browser and type chrome://net-internals/#hsts in the URL box.
- Next, scroll down until you see Delete domain security policies.
- In the Domain box, submit the domain you can’t access and click delete.
- Restart the website and see if it works
The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is a perfect example of SSL certificate mismanagement. All SSL certs issued by trustworthy Certificate Authorities will work flawlessly if you follow the best installation practices. However, if you begin to tweak critical elements within your certificate, you’re playing with fire and asking for trouble. Key pinning is a complex process that is not worth your time and hassle. The best solution is to avoid key pinning.
If you find any inaccuracies, or you have details to add to this SSL tutorial, please feel free to send us your feedback at [email protected] Your input would be greatly appreciated! Thank you.