1

I renewed my LetsEncrypt certificate on my Website where I used certificate pinning before.

Now I removed those headers in my webserver config and the site works fine again without pinning.

But on my browsers, where I already visited this website, the certificate is still pinned, so I cannot open them.

I found out how to remove those certificates in Chrome:

https://linux-audit.com/delete-a-hsts-key-pin-in-chrome/

  • Go to the URL chrome://net-internals/#hsts
  • Now delete the related domain

But I am worried, that the certificate is cached for ages in browsers and my visitors that don't know how to remove the certificate cannot visit the site anymore.

How can I find out the damage done? How long will the old certificate be cached? And most important: How can I remove the cert in Firefox?

I cant find it in Preferences > Advanced > Certificates > View Certificates

Improve this question
5
  • How many visitors do you have? How long did you have HSTS enabled and what time frame did you configure? Take that into account and you could get an idea of how many visitors are affected.
    – Seth
    Commented Oct 17, 2016 at 8:04
  • It is an Information site for Freifunk with maybe 10 to 100 visitors a day. We had HSTs enabled for a month.
    – rubo77
    Commented Oct 17, 2016 at 9:23
  • If this old certificate stays in cache longer than a day, i would like to inform our users how they've remove the old website
    – rubo77
    Commented Oct 17, 2016 at 9:25
  • The idea behind HSTS is that it stays in cache for several months e.g. an Nginx article uses a whole year. So it really depends on what you've configured max-age to be. In addition most browsers shouldn't users skip the error or use an HTTP variant of the page so you might have some trouble reaching your users. Instead why not use a valid HTTPS cert and continue using HTTPS?
    – Seth
    Commented Oct 17, 2016 at 9:30
  • See also: security.stackexchange.com/questions/124400/… So did you actually op for "real" pinning or just HSTS?
    – Seth
    Commented Oct 17, 2016 at 9:37

1 Answer 1

Reset to default
1

Information found at URL https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/ :

  1. Exit Firefox
  2. Manually edit the file named "SiteSecurityServiceState.txt" in the Firefox profile you are using (under Linux its default location is under ~/.mozilla/firefox)

You might consider duplicating the profile first, and doing a dry run on the duplicate profile.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .