I am absolutely confused about the header Public-Key-Pinning. How do you add it in Apache?
What I did:
Took the public key hash from my domain cert, intermediate cert and the root certs separately and added this to apache, mod_headers is enabled. But ssllabs says "No Chain. Check Backup Pins"
Header always set Public-Key-Pins "pin-sha256=\"Root-SSL-Public-Key\"; pin-sha256=\"Intermediate-SSL-Public-Key\"; pin-sha256=\"Domain-SSL-Public-Key\"; max-age=2592000; includeSubDomains"
HPKP is a bad idea. It’s way too easy to brick your site using it and the protection it provides is fairly small given that.
Almost all browsers have dropped support for HPKP because of this.
One of the things the spec includes to mitigate breaking your site is you must have at least one pin that is NOT in your current cert and chain. That is you must have two completely independent pins - one from a backup key/cert/CA so if you lose control of your primary one you can still connect. If you have only pinned your cert, intermediate and root then they are all from the same chain and so do not meet this requirement.
Fix that and it should be accepted by SSLLabs. But honestly why bother given browser support and the risk versus reward profile?