AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Internet Access Certificate Pinning and SSL Inspection

Certificate Pinning and SSL Inspection

There is no universal tool or method to check if the application does Certificate Pinning. The Certificate Pinning is used by the application to prevent MiTM attacks, so Zscaler cannot do anything more than just adding the URL to the SSL bypass.

In certain events, some applications will show the error message while it comes to Certificate Pinning while others just cannot establish the connection. And, the best way to check it is to add the application URLs to SSL bypass and confirm if they are working fine without SSL Inspection. It is possible to review the application logs if they are available. But sometimes, even with Wireshark, this method  will not be very ideal for detecting Certificate Pinning. It had been confirmed that even with it, we can only see which certificate that was used in the connection, but we cannot check if the applications does the Certificate Pinning. So if the login fails for example, it might be due to Certificate Pinning issue or something blocked on the Firewall. Usually, on the product support page, we should be able to find the required IPs, FQDNs, and ports required for the application to work.

Based on our past deployments' experience,  normally by exempting it from the SSL Inspection resolved the issue, this means that the unexpected certificate caused the issue. Because from the troubleshooter's POV if the SSL Exemption does work, then the issue is highly likely due to Certificate Pinning. 

This is what we have summarized on how the flow of application would be like if they are performing Certificate Pinning:

  1. Any applications will potentially be inspected by Zscaler which means they will sending Zscaler Certificate to the application server.

  2. And if the application server does not recognize Zscaler as the legitimate certificate issuer, there will be an error.

  3. By bypassing them, the application will instead send across their own Certificate to the application server, hence it will be accepted and the access will be allowed.

Do take note that despite the connection is not SSL intercepted, Zscaler can still block the connection, if any malicious content is detected.

Refer to this article to learn which are the native applications that do certificate pinning identified by Zscaler: Certificate Pinning and SSL Inspection | Zscaler