I renewed my LetsEncrypt certificate on my Website where I used certificate pinning before.
Now I removed those headers in my webserver config and the site works fine again without pinning.
But on my browsers, where I already visited this website, the certificate is still pinned, so I cannot open them.
I found out how to remove those certificates in Chrome:
https://linux-audit.com/delete-a-hsts-key-pin-in-chrome/
- Go to the URL chrome://net-internals/#hsts
- Now delete the related domain
But I am worried, that the certificate is cached for ages in browsers and my visitors that don't know how to remove the certificate cannot visit the site anymore.
How can I find out the damage done? How long will the old certificate be cached? And most important: How can I remove the cert in Firefox?
I cant find it in Preferences > Advanced > Certificates > View Certificates
max-age
to be. In addition most browsers shouldn't users skip the error or use an HTTP variant of the page so you might have some trouble reaching your users. Instead why not use a valid HTTPS cert and continue using HTTPS?