Certificate pinning
Cloudflare does not support HTTP public key pinning (HPKP)1 for Universal, Advanced, or Custom Hostname certificates.
Cloudflare regularly rotates the edge certificates provisioned for your domain. If HPKP were enabled, your domain would go offline each time a certificate rotates because the new certificate would not match the pinned key. Additionally, industry experts ↗ discourage using HPKP. For a detailed overview, refer to the Cloudflare blog post on why certificate pinning is outdated ↗.
The problem HPKP tries to solve is preventing certificate misissuance. A safer way to detect misissuance without risking downtime is Certificate Transparency Monitoring, which alerts you when a certificate is issued for your domain.
If your use case requires certificate pinning, the only advisable approach is to upload a custom certificate to Cloudflare and pin to that certificate. Because you control the certificate lifecycle — including renewal timing, CA selection, and key material — you can ensure pin continuity. However, pinning still carries outage risk: if a renewal deploys a new key, clients pinned to the old key will fail TLS. If you need pin continuity, you must intentionally reuse the same key material during renewal. Test renewed certificates in the staging environment before production.
Select the user-defined bundle method so that you control exactly which CA, intermediate, and leaf certificate are served.
-
Key pinning allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. ↩