Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Enable HPKP for internal CA

  • No replies
  • 2 have this problem
more options

I know that: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. (

However there are settings that seem to override that and force user-defined CA be checked against hpkp:

The pinning level is enforced by a pref, security.cert_pinning.enforcement_level

   0. Pinning disabled
   1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
   2. Strict. Pinning is always enforced.
   3. Enforce test mode.


Tried to set to "3", but that still does not allow certs issued by internal CA to be protected using HPKP: Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.

Is there a way to force FF to protect internal certs too?


Modified by gwint