Certificate pinning
Cloudflare does not support HTTP public key pinning (HPKP)1 for Universal, Advanced, or Custom Hostname certificates.
This is because Cloudflare regularly changes the edge certificates provisioned for your domain and - if you had HPKP enabled - your domain would go offline. Additionally, industry experts ↗ discourage using HPKP.
For a better solution to the problem that HPKP is trying to solve - preventing certificate misissuance - use Certificate Transparency Monitoring.
To avoid downtime when pinning your certificates, use custom certificates and select user-defined bundle method. This way you can control which CA, intermediate, and certificate will be used after renewal.
-
Key pinning allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. ↩