NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN means the browser expected a specific public key (HPKP or Certificate Transparency static pin) in the cert chain but it is missing. Cause: the site rotated certs while an old pin is still alive (max-age). Fix: clear HSTS/pinning in Chrome (chrome://net-internals), wait for the pin to expire, or for static pins — update Chrome.
This error blocks HTTPS access. Below: causes, fixes, working config, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
chrome://net-internals/#hsts → Delete domain → enter your domainchrome://net-internals/#sockets → Flush socketsPublic-Key-Pins: max-age=0;server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
}The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error occurs when a browser detects that a pinned SSL certificate does not match the certificate chain presented by the server. To resolve this issue, ensure that the correct public key is included in the certificate chain and that the server's SSL configuration correctly implements HTTP Public Key Pinning (HPKP). Use openssl s_client -connect yourdomain.com:443 -showcerts to inspect the certificates in use.
The NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error is primarily associated with HTTP Public Key Pinning (HPKP), a security feature that allows web servers to specify which public keys are valid for a specific domain. If a browser encounters a mismatch between the pinned keys and the SSL certificate chain provided by the server, it will throw this error, blocking access to the site.
HPKP reduces the risk of man-in-the-middle attacks by ensuring that a browser only trusts certificates that are associated with specific public keys. However, this feature can lead to issues if not configured correctly. The following factors can contribute to this error:
To troubleshoot the issue, you can use tools like openssl or online SSL checkers to verify the SSL certificate chain and confirm that the public keys match the pinned keys.
To resolve the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error, follow these practical steps:
openssl s_client -connect yourdomain.com:443 -showcertsThis command will display the certificates in the chain. Verify that the public key of the pinned certificate matches one of the certificates in the chain.
Public-Key-Pins: pin-sha256="base64=="; pin-sha256="base64=="; max-age=5184000; includeSubDomainsReplace the placeholders with your actual pinned keys. Make sure that the keys correspond to the public keys in your SSL certificate chain.
openssl command or an online SSL testing tool. Ensure that there are no errors and that the correct keys are present in the chain.By following these steps, you should be able to resolve the NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error and ensure a secure connection for users accessing your site.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeHTTP Public Key Pinning bound a domain to specific public keys. Chrome 72+ removed support (2018) due to the risk of locking yourself out on misconfiguration.
Chrome ships built-in pins for ~50 large sites (Google, Facebook, Twitter). Not toggleable via UI. Protects against MITM on those domains.
chrome://net-internals/#hsts → Delete domain. Also clear cookies/cache for the domain. Restart Chrome.
No. Expect-CT required certs in CT logs (Certificate Transparency), not pinning. Also deprecated since 2022 — CT is enforced automatically now.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.