Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Enable HPKP for internal CA

  • No replies
  • 2 have this problem
  • 3 views
more options

I know that: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning)

However there are settings that seem to override that and force user-defined CA be checked against hpkp:

The pinning level is enforced by a pref, security.cert_pinning.enforcement_level

   0. Pinning disabled
   1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
   2. Strict. Pinning is always enforced.
   3. Enforce test mode.

(https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)

Tried to set to "3", but that still does not allow certs issued by internal CA to be protected using HPKP: Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.

Is there a way to force FF to protect internal certs too?

Thanks

Modified by gwint