These HPKP instructions are rather dangerous (as in: more dangerous than they have to be).<p>The hash is for the ISRG root certificate, which is not widely trusted yet. While an ISRG-signed intermediate certificate is available, all clients currently default to the IdenTrust-signed intermediate, and even if you decide to use the other intermediate instead (or both, which most browsers can handle), that doesn't guarantee that browser build a trust path through that intermediate - it might have the other one cached from a different site. In other words, the second pin would almost never be satisfied, which means you're screwed once your private key is compromised or changes. Screwed as in your domain is bricked for up to 30 days with this max-age setting.<p>A slightly better approach would be to pin to both the ISRG and the IdenTrust root[1], plus your private key and a couple of backup keys that you keep offline. One or two backup pins to other CAs couldn't hurt either. Oh, and best run with Report-Only for a while.<p>[1]: <a href="https://www.identrust.com/certificates/trustid/root-download-x3.html" rel="nofollow">https://www.identrust.com/certificates/trustid/root-download...</a>
This is rather overly complicated and should only be used for test domains you do not care about.<p>Much easier and very effective is to use the apache2 or nginx config file options to manually disable sslv3, tls1.0 and tls 1.1. Permit only TLS 1.2. If you want to, manually specify the preferred order or crypto.<p>Any modern browser supports TLS 1.2 just fine. I've done this for every httpd I admin and it has had no effect on reachability.
Your best option is probably to read, understand, and use the configs at <a href="https://cipherli.st" rel="nofollow">https://cipherli.st</a>