Certificate Pinning

  • Updated on Jan 13, 2026
  • Published on Jan 16, 2022
  • 2 minute(s) read
  • a
  • Perimeter Support
  • m
 Prev Next

What is Certificate Pinning?

Certificate Pinning is the process by which native applications validate that a certificate provided by the server matches a known set of rules and conditions to ensure the integrity of data in transit and prevent unwanted sniffing of traffic by a bad actor attempting to perform a man-in-the-middle attack. 

Those applications will treat all other certificates as invalid, and the TLS connection will be refused.

How does it affect my users?

If your organization uses Internet Access, the Harmony SASE agent will utilize TLS inspection to prevent questionable sites from obfuscating malicious payloads within encrypted traffic. During this process, our system issues certificates signed by Harmony SASE. As a result, applications that utilize Certificate Pinning may deem those certificates invalid and fail to create a TLS connection. 

What to do?

Internet Access should be configured to bypass applications known to utilize certificate pinning. Applications can be bypassed using the following methods:

  • Using the process name of the application
  • A specific domain the application may be accessing
  • A combination of the above methods.

To get the exact process name, do the following:

  • Windows:

    Open the Task Manager and search for the application. The Program name is under the Details tab.

    Windows SWG agent.png

    Copy the exact process name.

  • MacOS:

    1. Go to Activity Monitor > Inspect selected process > Sample > Binary Images section > first item in the list.
    2. Open Finder > Applications > Show Package Contents > Contents/Info.plist > Grab the string after the CFBundleIdentifier key.

  • Linux:
    Use this command:

    ps aux | grep app_name

Note that the application process name to be used for bypass rule should be only the binary name itself.

Here are some examples of applications which use Certificate Pinning and bypass criteria for them:

ApplicationProgramDomain
Adobe Suite (including Acrobat Reader, Creative Cloud and software updates)N/A
Fill in these domain lists: List 1, List 2
Apple's iMessages, iTunes, App Store, MailN/A
p24-keyvalueservice.icloud.com
apps.apple.com
itunes.apple.com
mzstatic.com
gs-loc.apple.com
gsa.apple.com
securemetrics.apple.com
swscan.apple.com
xp.apple.com
ppq.apple.com
akadns.net
mail.me.com
music.apple.com


AWS Console


N/A


console.aws.amazon.com
docs.aws.amazon.com
signin.aws.amazon.com
fls-na.amazon.com
cdn.assets.as2.amazonaws.com
aws-signin-website-assets.s3.amazonaws.com
opfcaptcha-prod.s3.amazonaws.com
d1dgtfo2wk29o4.cloudfront.net
images-na.ssl-images-amazon.com

Bitdefender


N/A


cdn.bitdefender.net
download.bitdefender.com
login.bitdefender.net
login.bitdefender.com
nimbus.bitdefender.net
push.bitdefender.net
upgrade.bitdefender.com

DropBoxDropbox.exe
DropboxUpdate.exe
DbxSvc.exe
com.getdropbox.dropbox
com.getdropbox.dropbox.garcon com.getdropbox.dropbox.activityprovider com.getdropbox.dropbox.fileprovider
N/A
Evernoteevernote.exeannounce.evernote.com
cd1.evernote.com
evernote-a.akamaihd.net
www.evernote.com
Google DriveWindows
googledrivefs.exe
macOS:
com.google.drivefs
com.google.drivefs.finderhelper.findersync		N/A


Google Services


N/A
alt2-mtalk.google.com
android.clients.google.com
www.google.com
android.googleapis.com
cryptauthenrollment.googleapis.com
device-provisioning.googleapis.com
digitalassetlinks.googleapis.com
fcmconnection.googleapis.com
fcmtoken.googleapis.com
firebaseperusertopics-pa.googleapis.com
play.googleapis.com
semanticlocation-pa.googleapis.com
lh3.googleusercontent.com
play-lh.googleusercontent.com
gstatic.com
gvt1.com


Java Updates

N/A


sjremetrics.java.comm
javadl-esd-secure.oracle.com

LogMeInlogmein.exeFill in this domain list
Microsoft DefenderN/A
Fill in this domain list

Microsoft Lync and Skype

N/A

lync.com
az801095.vo.msecnd.net
i.s-microsoft.com

Microsoft Office365Configure within Office365 under Policy > URL & Cloud App Control > Advanced SettingsFor Outlook, add the following domains:
office365.com, office.net, office.com

Microsoft OneDrive

N/A

cdn.funcaptcha.com
fpt.live.com
odc.officeapps.live.com
skyapi.policies.live.net
signup.live.com
skyapi.live.net
pipe.aria.microsoft.com
data.microsoft.com
svc.ms
msauth.net
cdn.onenote.net

Microsoft Windows StoreN/A
eus-streaming-video-msn-com
wns.windows.com
live.com
clientconfig.passport.net
wustat.windows.com
windowsupdate.com
msftncsi.com
microsoft.com
Microsoft UpdatesN/A
settings-win.data.microsoft.com
vortex-win.data.microsoft.com
delivery.mp.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
update.microsoft.com
sls.update.microsoft.com
SlackWindows:
slack.exe
macOS:
com.tinyspeck.slackmacgap com.tinyspeck.slackmacgap.helper		N/A
SpotifyN/Aspotify.com
Webexatmrg.exe
wmlhost.exe
webexmta.exe
washost.exe		webex.com
ZoomWindows:
zoom.exe
macOS:
us.zoom.xos		zoom.us

Default Bypass Rules

The Default Bypass rules prevent any potential issues caused by applications and web services that are known to experience certificate pinning.

Important:
Traffic that matches a bypass rule is not inspected and is excluded from Internet Access Policy enforcement, Threat Prevention, and DLP controls.

To view the complete list of default Bypass Rules, go to Web Security > Bypass Rules.

Rule NameStatusSourceProgramsDomainsCategories
Bypass Microsoft Teams - Pre-configured
Enabled
Any
com.microsoft.teams
Teams.exe
N/AN/A
Bypass sensitive traffic - Pre-configured
Disabled
AnyAnyN/A
Financial Services, Government, Health and Medicine, Legal
Bypass Microsoft Outlook - Pre-configured
Enabled
Programs
com.microsoft.Outlook.exe
outlook.exe
N/A
N/A
Bypass Microsoft updates - Pre-configured
EnabledAnyAny

settings-win.data.microsoft.com
vortex-win.data.microsoft.com
delivery.mp.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
update.microsoft.com
sls.update.microsoft.com


N/A
Bypass Adobe updates - Pre-configured
Enabled
AnyAny

adobe.com
adobetag.com

N/A
Bypass Java updates - Pre-configured
Enabled
AnyAny

sjremetrics.java.com
javadl-esd-secure.oracle.com

N/A
Bypass Mozilla Firefox updates - Pre-configured
Enabled
AnyAnydownload-installer.cdn.mozilla.net
N/A
Bypass AWS console - Pre-configured
Enabled
AnyAny

console.aws.amazon.com
docs.aws.amazon.com
signin.aws.amazon.com
fls-na.amazon.com
cdn.assets.as2.amazonaws.com
aws-signin-website-assets.s3.amazonaws.com
opfcaptcha-prod.s3.amazonaws.com
d1dgtfo2wk29o4.cloudfront.net
images-na.ssl-images-amazon.com

N/A
Bypass Dropbox - Pre-configured
Enabled
ProgramsDropbox.exe
DropboxUpdate.exe
DbxSvc.exe
com.getdropbox.dropbox
com.getdropbox.dropbox.garcon com.getdropbox.dropbox.activityprovider com.getdropbox.dropbox.fileprovider

N/A

N/A
Bypass Google services - Pre-configured
Enabled
AnyAny

alt2-mtalk.google.com
android.clients.google.com
www.google.com
android.googleapis.com
cryptauthenrollment.googleapis.com
device-provisioning.googleapis.com
digitalassetlinks.googleapis.com
fcmconnection.googleapis.com
fcmtoken.googleapis.com
firebaseperusertopics-pa.googleapis.com
play.googleapis.com
semanticlocation-pa.googleapis.com
lh3.googleusercontent.com
play-lh.googleusercontent.com
gstatic.com
gvt1.com

N/A
Bypass Google Drive – Pre-configured
EnabledProgramsgoogledrivefs.exe
com.google.drivefs com.google.drivefs.finderhelper.findersync
N/A
N/A
Bypass OneDrive - Pre-configured
Enabled
AnyAny

cdn.funcaptcha.com
fpt.live.com
odc.officeapps.live.com
skyapi.policies.live.net
signup.live.com
skyapi.live.net
pipe.aria.microsoft.com
data.microsoft.com
svc.ms
msauth.net
cdn.onenote.net

N/A
Bypass LogMeIn - Pre-configured
Enabled
AnyAny

cdngetgo.com
expertcity.com
getgo.com
getgocdn.com
getgoservices.com
getgoservices.net
go2assist.me
gofastchat.com
goto-rtc.com
gotoassist.com
gotoassist.at
gotoassist.me
gotomeet.at
gotomeet.me
gotomeeting.com
gotomypc.com
gotostage.com
gototraining.com
gotowebinar.com
helpme.net
accounts.logme.in
joingotomeeting.com
jointraining.com
joinwebinar.com
logmein.com
logmeininc.com
logmeinrescue.com

N/A
Bypass Microsoft Lync and Skype - Pre-configured
Enabled
AnyAny

lync.com
az801095.vo.msecnd.net
i.s-microsoft.com

N/A
Bypass Apple services - Pre-configured
Enabled
AnyAnyp24-keyvalueservice.icloud.com
apps.apple.com
itunes.apple.com
mzstatic.com
gs-loc.apple.com
gsa.apple.com
securemetrics.apple.com
swscan.apple.com
xp.apple.com
ppq.apple.com
akadns.net
mail.me.com
music.apple.com		N/A
Bypass Bitdefender services - Pre-configured
Enabled
AnyAny

cdn.bitdefender.net
download.bitdefender.com
login.bitdefender.net
login.bitdefender.com
nimbus.bitdefender.net
push.bitdefender.net
upgrade.bitdefender.com


N/A
Bypass Zoom - Pre-configured
Enabled
AnyAnyzoom.us
N/A
Bypass Webex - Pre-configured
Enabled
AnyAnywebex.com
N/A
Bypass Spotify - Pre-configured
Enabled
AnyAnyspotify.com
N/A
Check Point Updates - HTTPS bypass
Enabled
Any
Any
avupdates.checkpoint.com
secureupdates.checkpoint.com
updates.checkpoint.com
N/A
Dashlane - HTTPS bypass
Enabled

Any

Any

dashlane.com
*.dashlane.com
N/A
Facebook – Pre-configured
Disabled
Any


Any

facebook.com
N/A
Finch VPN - HTTPS bypass
Enabled
Any
Any
amber.finchapi.com
www.finchvpn.com
N/A
MyQuickCloud - HTTPS bypass
Enabled
Any
Any
*.myquickcloud.com
N/A
Elster de - HTTPS bypass
Enabled
Any
Any

 *.elster.de
 datenannahme1.elster.de
 datenannahme2.elster.de
 datenannahme3.elster.de
 datenannahme4.elster.de
 datenannahme5.elster.de
 datenannahme6.elster.de
 datenannahme7.elster.de
 datenannahme8.elster.de
 datenannahme9.elster.de
 datenannahme0.elster.de
 datenannahme.elster.de

N/A