Skip to content

ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: Fix

Key idea:

NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN means the browser expected a specific public key (HPKP or Certificate Transparency static pin) in the cert chain but it is missing. Cause: the site rotated certs while an old pin is still alive (max-age). Fix: clear HSTS/pinning in Chrome (chrome://net-internals), wait for the pin to expire, or for static pins — update Chrome.

This error blocks HTTPS access. Below: causes, fixes, working config, FAQ.

Check your site's SSL →

Common Causes

  • Site changed its SSL cert while the old HPKP pin is still valid
  • Chrome static pin (built into the browser) does not match
  • Corporate proxy with MITM cert not in the pin list
  • Client was MITMed on a previous visit
  • Broken HPKP header on the server (max-age too large)

Step-by-Step Fix

  1. Open chrome://net-internals/#hsts → Delete domain → enter your domain
  2. Clear TLS state: chrome://net-internals/#sockets → Flush sockets
  3. Remove HPKP from the server (deprecated since 2018): Public-Key-Pins: max-age=0;
  4. For static pins (e.g. google.com, facebook.com) — only a Chrome update
  5. Inspect the cert chain via SSL Checker to see the current chain

Check SSL Certificate →

Example: Proper nginx TLS config

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_stapling        on;
    ssl_stapling_verify on;
}

Related SSL Errors

TL;DR: Fixing NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error occurs when a browser detects that a pinned SSL certificate does not match the certificate chain presented by the server. To resolve this issue, ensure that the correct public key is included in the certificate chain and that the server's SSL configuration correctly implements HTTP Public Key Pinning (HPKP). Use openssl s_client -connect yourdomain.com:443 -showcerts to inspect the certificates in use.

Understanding the Cause of NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is primarily associated with HTTP Public Key Pinning (HPKP), a security feature that allows web servers to specify which public keys are valid for a specific domain. If a browser encounters a mismatch between the pinned keys and the SSL certificate chain provided by the server, it will throw this error, blocking access to the site.

HPKP reduces the risk of man-in-the-middle attacks by ensuring that a browser only trusts certificates that are associated with specific public keys. However, this feature can lead to issues if not configured correctly. The following factors can contribute to this error:

  • Expired or Revoked Certificates: If the pinned certificate has expired or been revoked, the browser will reject the connection.
  • Incorrect Certificate Chain: If the server presents an incorrect certificate chain that does not include the pinned public key, the browser will flag it as an error.
  • Misconfigured HPKP Headers: If the HPKP headers are not properly set or the keys are incorrect, this can lead to the error.

To troubleshoot the issue, you can use tools like openssl or online SSL checkers to verify the SSL certificate chain and confirm that the public keys match the pinned keys.

Practical Steps to Resolve NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

To resolve the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error, follow these practical steps:

  1. Inspect the SSL Certificate: Use the following command to inspect the SSL certificate chain:
openssl s_client -connect yourdomain.com:443 -showcerts

This command will display the certificates in the chain. Verify that the public key of the pinned certificate matches one of the certificates in the chain.

  1. Check HPKP Headers: Ensure that your web server is sending the correct HPKP headers. The headers should look something like this:
Public-Key-Pins: pin-sha256="base64=="; pin-sha256="base64=="; max-age=5184000; includeSubDomains

Replace the placeholders with your actual pinned keys. Make sure that the keys correspond to the public keys in your SSL certificate chain.

  1. Update Certificate Chain: If there is a mismatch, update your server's SSL configuration to include the correct certificate chain. This may involve obtaining a new certificate from your Certificate Authority (CA) or reconfiguring your server settings.
  2. Test the Configuration: After making changes, retest your SSL configuration using the openssl command or an online SSL testing tool. Ensure that there are no errors and that the correct keys are present in the chain.

By following these steps, you should be able to resolve the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error and ensure a secure connection for users accessing your site.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

What is HPKP and why is it deprecated?

HTTP Public Key Pinning bound a domain to specific public keys. Chrome 72+ removed support (2018) due to the risk of locking yourself out on misconfiguration.

What is static pinning in Chrome?

Chrome ships built-in pins for ~50 large sites (Google, Facebook, Twitter). Not toggleable via UI. Protects against MITM on those domains.

How do I fully reset Chrome state for a domain?

chrome://net-internals/#hsts → Delete domain. Also clear cookies/cache for the domain. Restart Chrome.

Is Expect-CT a replacement for HPKP?

No. Expect-CT required certs in CT logs (Certificate Transparency), not pinning. Also deprecated since 2022 — CT is enforced automatically now.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.