Cant get Enterprise Certificate pinning to work?

Question

I've tried to get certificate pinning to work - but nothing happens. - Nothing in the eventlog either.

This is more or less the only information I found about it: https://learn.microsoft.com/en-us/windows/security/identity-protection/enterprise-certificate-pinning

I extracted the intermediate cert from the chain from the sunet.se site to R3.crt and made this XML-file:

<PinRules ListIdentifier="PinRules" Duration="P10D">
  <PinRule Name="MultipleSites" Log="true" Error="Revoked">
    <Certificate File="R3.crt"/>
    <Site Domain="sunet.se"/>
    <Site Domain=".sunet.se"/>
    <Site Domain="google.com"/>
    <Site Domain=".google.com"/>
  </PinRule>
</PinRules>

Then I ran the two certutil commands:

certutil -f -v -generatepinrulesctl certPinRules.xml pinrules.stl
certutil -setreg chain\PinRules @pinrules.stl

No errors, and everything goes in to the registry.

But still access to google.com is a allowed in Edge - nothing logs in the eventlog.

What am I missing?

Answer 1

You mentioned using an intermediate certificate (R3.crt) extracted from the chain of sunet.se. Make sure this certificate is actually in the certificate chain for both sunet.se and google.com. If it's not in Google's chain, the pinning won't affect Google.

The certutil commands you used should have added the pinning rules to the registry. You can verify this by checking:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

1. Double-check the XML formatting and re-run the certutil commands.
2. Verify the registry entries were created correctly.
3. Restart the system to ensure all changes take effect.