Skip to content
HPKP generator for Nginx and Let's Encrypt
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


HPKPinx allows for automated, regularly renewed HPKP configuration using the following components:

The script has been tested and deployed successfully on CentOS 7 machines. Testing involved disaster recovery using the static backup pin, which is generated automatically upon install.


First off, you need to have private key rollover enabled, otherwise you may render your site inaccessible. Add to /opt/dehydrated/config:


Then request a certificate renewal which generates new production and rollover private keys. Verify that you indeed have privkey.pem and privkey.roll.pem under dehydrated/certs/<hostname>.

dehydrated certs should be available under /etc/nginx/certs:

ln -sT /opt/dehydrated/certs /etc/nginx/certs

Now get a fresh copy of HPKPinx:

git clone /opt/hpkpinx
cd /opt/hpkpinx

After this, you're prompted to move your backup private key off-server, which you should most definitely do right away.

Also make sure to regenerate the pins upon each renewal by calling For example, if you're using the Certzure DNS-01 hook, add to the end of /opt/certzure/

/opt/hpkpinx/ $1 $2

Naturally, you also have to restart Nginx after each renewal, but that is already implied by using Let's Encrypt.

Then add to your Nginx host config:

include hpkp.conf;


The config file is located at /opt/hpkpinx/ You have the following options:


The time, in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys.


This is the pin of your backup key. Normally you shouldn't need to change this, unless you want to replace the generated backup key with your own. In this case, you can generate a pin for your private key with: generate_pin <your_key.pem>


  • If set to 0 (the default), Nginx will only send the Public-Key-Pins-Report-Only header and HPKP is not applied.
  • If set to 1, Nginx sends the Public-Key-Pins header and the HPKP policy for your site goes live in supported browsers.


You can’t perform that action at this time.