If your organization generates and rotate keys more than once a year, then you might consider not implementing a static key pinning. Internet Engineering Task Force (IETF) Request for Comments (RFC) 7459 (Representation of Uncertainty and Confidence in the Presence Information Data Format Location Object) & RFC 7469 (Public Key Pinning Extension for HTTP), states you have to pin two separate certificates in order to maintain confidence and be able to have an immediate backup not being used currently. So, one must be in the certificate chain used for client connections, the other pin(s) must not be present in the certificate chain being pinned. Having four extras CA signed certs minimum in the key store for a huge enterprise would be recommended. Business can afford the extra peace of mind at little cost compared to the risk for blocking customers. The standards for presentation and method are not the best for implementation at this point. Is this why is it used by less than 1% of the entire Internet?
None of us here at Zombie are a fan of this technology, but it is being replaced by Expect-CT. We will be updating this procedure to Expect-CT.
systemctl restart httpd