How to Fix ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
SSL_PINNED_KEY_NOT_IN_CERT_CHAIN Error

Common Causes:

Incorrect Key Pinning Configuration

One of the most frequent causes of the NET :: ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error message is an incorrect configuration of key pinning.

Key pinning is one of the security protocols that involves a site identifying certain public keys that it wants to use on connections with the site.

Also Read: What is SSL Pinning & How Does It Work? 

If the pinned public key does not match the keys in the server’s certificate chain, the connection will be terminated, and the browser will show this error.

This mismatch may be due to having pinned the wrong key, when the certificate chain is modified without updating the pins, or receiving a new certificate while the related public key is not included in the pin set.

One way to prevent this is to ensure only correct public keys are pinned and that these keys are updated as often as is needed in the case of changes in the certificates.

Certificate Chain Issues

Certificate chain issues are also another common cause of generating this error message. A certificate chain, or chain of trust,will contain several certificates down to the end- entity or the website certificate as it is referred to, up to the CA or trusted root CA.

Also Read: What is SSL Certificate Chain in PKI? How Does It Work?

There is always a case of missing or incorrect intermediate certification that may lead to some issues. These intermediates are used by browsers to build a trust path to the root CA.

For instance, if an intermediate certificate is left out or installed wrongly, the browser will not be able to establish the chain of trust and this will lead to this error.

Also Read: How to Resolve the “Self-Signed Certificate in Certificate Chain” Error?

Those amongst them include ensuring that all the intermediate certificates are well installed and that they are linked properly in the correct order to avoid this particular problem.

Expired or Mismatched Certificates

Expired or mismatched certificates can also trigger this issue. Certificates have a certain lifetime and after which time, if they are not renewed, they cannot be relied upon.

If any of the certificates in the chain, not only the possesses but also the intermediate ones, are expired, then the chain of trust is interrupted.

Also Read: How to Fix the Modulus Mismatch Error?

Furthermore, if there are discrepancies in the certificate that the subject anticipates receiving and the certificate displayed by the server, then this error is bound to show up.

This mismatch can occur for example in the case where the certificate is renewed or replaced and the corresponding public key in the new certificate is not the same as the pinned one.

To avoid this it is recommended to regularly check the validity of all certificates and make sure when renewing or replacing certificates, these are reflected in the key pinning properly.

Server Misconfiguration

It also includes potential misconfigurations like wrong server settings, ill-suited SSL/TLS configurations, or the inability to serve the full certificate chain.

For instance, if a server lacked the configuration in sending the required end-entity certificate alongside the intermediate certificates, the client would be unable to verify the chain of trust.

These settings include configuration of the server to display the full certificate chain and appropriate SSL/TLS parameters to prevent encounterment of this message.

Such misconfigurations can be corrected through a frequent audits and configuration check that is regularly done.

Browser Caching Issues

Browsers cache data such as certificate chains and public key pins stored in SSL/TLS to enhance performance.

However, if there has been a change in the certificate chain or the key pinning configuration then it may mean that the browser cache is holding obsolete information necessary in making this error.

Clearing the browser cache or executing a ‘forced update’ of the page may work in many cases.

It is also recommended to pay attention to the cache-control headers on administrator websites and to warn users about cache reset in case of an update in the certificate chain or key pinning.

Steps to Fix ERR SSL PINNED KEY NOT IN CERT CHAIN (For Webmasters)

Try to pin the keys only if you are an expert and confident in handling the keys.

It is great if you can do it yourself in that way, you will be able to exert better control on the public keys that are utilized.

It will reduce the consequences of the involved referring private keys being cracked by hackers. However, the disadvantage is that there is a possibility of crashing the entire website in case the attempt to fire fails heavily.

Solution 1:

Well, possibly you have encountered use ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error since you have not pinned a key somewhere in the certificate chain or you have pinned the wrong key to one of the intermediate certificates that help compose your chain.

It is also important to emphasize here that in order for web browsers to be able to complete the certificate chain effectively.

In other words, they cannot translate the trust to an end-user certificate. As a result, the signatures on the certificates to these sites have to be validated using their public keys.

Find the offending certificate. You can then search for a copy of its public key somewhere on the intermediate CA’s website.

Solution 2:

This tip is very suggested. Here, you will do away with pinning keys.

Unfortunately, even the most experienced consultants can attest that the inconvenience of key personalization is not compensated by the obtained level of security that is applicable only to the leaders of large companies or organizations.

Additionally, browsers like Google Chrome either don’t support it or are considering pulling the feature.

Besides, such a practice of constantly exchanging certificates and keys will provide similar security benefits as key pinning does. No one said that you are obliged to pin them. This should not be done but rather it should be rotated within a specific period of 3-6 months.

Steps to Fix ERR SSL PINNED KEY NOT IN CERT CHAIN (For Web Visitors)

Unfortunately, there is no action that a good web visitor can take when he or she comes across ERR SSL PINNED KEY NOT IN CERT CHAIN error. But if you cannot do this, here are some tips that you may want to consider:

Solution 1:

This tip can be applied provided that your machine’s SSL has recently been renewed. Maybe the administrator has chosen a time that the certificate has expired, either itself or the process of renewal of the same.

How do I solve the problem? The best solution is to clear the key from the HSTS database of your browser.

To do that,

  1. Go to the Google Chrome address bar and add the below command: chrome://net-internals/#hsts
  2. Then click on the domain name that is generating the error on the option ‘Delete domain security policies’ Lastly, tap on Delete on the command bar.
  3. The key must be removed from the HSTS database.
  4. Revisit the website.

Also Read: How To Fix the “HSTS Missing from HTTPS Server” Error?

Solution 2:

There is one trick you can apply, but I don’t really encourage its usage,

Navigate the site using the HTTP or the HTTPs. If the website is not implementing HTTPS with an HSTS header then one might be able to access it occasionally.

But remember that you will be without any security. Some people consider their business and face such conditions.

This is not advisable since you have no way of knowing or guaranteeing that your password or payment details will not be exposed. Thus, all information you insert will become visible for outsiders, namely the third parties, probably possessing malicious intentions.

What you can do instead is try to reach out to the site owner and explain your situation or seek help from the site owner.

Let them know about the SSL PINNED KEY NOT IN CERT CHAIN problem you are facing. If the website is real , they will act professionally and try to address the issue, since they would not desire to lose followers.

Conclusion

For your website security concerns, CheapSSLweb is the perfect solution for you! Select a Cost-Effective SSL certificate from our comprehensive range and strengthen security of your data, build credibility and increase customers’ confidence.

Frequently Asked Questions (FAQs)

What is the Purpose of SSL Certificate Pinning?

SSL certificate pinning helps to secure the connection because now the server certificate is compared with the system known public key thus allowing no MITM attacks.

How often should I update my SSL pinning configuration?

Make sure that the values within the SSL pinning settings match the current public key by updating the values whenever there is a change in the certificate or the key rotation.

Can I disable SSL pinning to fix the error?

Disabling SSL pinning should not be done because it erodes the security of user data. However, since the key was changed, the configuration of pinning should be updated to reflect the current certificate.

Fix Not Secure Website Warning

Immediately Fix “Connection not Secure & other Browser Security Warnings with Trusted SSL Certificates.

Buy at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.