icon-unified.svg
Experience Center

Certificate Pinning and SSL Inspection

Certificate pinning is a process in which a non-browser desktop/mobile application validates that the TLS certificates presented by the application's backend TLS web servers match a known set of certificates pinned or hardcoded in the application. This process helps secure applications from man-in-the-middle (MITM) attacks. In such attacks, a MITM can respond to the client SSL handshake request with a forged server certificate issued by a trusted certificate authority (CA), blindsiding the client.

Zscaler dynamically issues trusted MITM certificates signed by the Zscaler intermediate CA or by the customer's specific intermediate CA to intercept the TLS traffic. The certificate-pinned clients may not be able to match those certificates to the pinned application certificates, leading to a termination of the connection.

Impacts of Certificate Pinning and SSL Inspection

Internet & SaaS Public Service Edges cannot detect certificate pinning as there is no specific messaging from the client indicating that it has a pinned certificate. In this situation, there is no response to the Server Certificate sent to the client, and the connection fails. There might be situations where the client closes the connection with a FINISH (FIN) or a RESET (RST) flag, but this is not sufficient to detect pinning and take corrective action.

As certificate pinning is a client-side function, the failure of the SSL connection happens between the client and the proxy. There is no standard behavior that is seen across clients while terminating a connection due to certificate pinning. The client might choose to close the connection any time after the Server Certificate is received, either by terminating the handshake with a fatal error stating the reason as “Unknown CA” or by generating an Encrypted Alert (close notify) after the SSL handshake followed by a FIN. In some cases, the client just resets the connection without the exchange of any application data. Whatever the behavior, the SSL connection fails.

Options When Encountering Certificate Pinning and SSL Inspection

To prevent applications that use certificate pinning from breaking in these circumstances, exempt the applications from SSL Inspection. You can achieve this by exempting either the cloud application from SSL Inspection or the individual domains from SSL Inspection using the Custom URL categories.

Native Applications That Use Certificate Pinning

Related Articles
About Secure Sockets Layer (SSL)About SSL InspectionSupported Cipher Suites in SSL InspectionSafeguarding SSL Keys and Data Collected During SSL InspectionAdding Custom Certificate to an Application Specific Trust StoreAbout SSL Inspection PolicyConfiguring SSL Inspection PolicyAbout Intermediate CA CertificatesChoosing the CA Certificate for SSL InspectionSigning a CSR Using the Active Directory Certificate ServicesDeploying SSL InspectionConfiguring Software Protection Intermediate CA CertificateConfiguring Cloud HSM Protection Intermediate CA CertificateDeployment Scenarios for SSL InspectionCertificate Pinning and SSL InspectionBest Practices for Testing and Rolling Out SSL Inspection