---
title: "Certificate Pinning"
slug: "certificate-pinning"
updated: 2026-04-07T09:08:35Z
published: 2026-04-07T09:08:35Z
canonical: "support.perimeter81.com/certificate-pinning"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Certificate Pinning

## What is Certificate Pinning?

Certificate Pinning is the process by which native applications validate that a certificate provided by the server matches a known set of rules and conditions to ensure the integrity of data in transit and prevent unwanted sniffing of traffic by a bad actor attempting to perform a man-in-the-middle attack.

Those applications will treat all other certificates as invalid, and the TLS connection will be refused.

How does it affect my users?

If your organization uses [Internet Access](/v1/docs/secure-web-gateway), the Check Point SASE agent will utilize TLS inspection to prevent questionable sites from obfuscating malicious payloads within encrypted traffic. During this process, our system issues certificates signed by Check Point SASE. As a result, applications that utilize Certificate Pinning may deem those certificates invalid and fail to create a TLS connection.

## What to do?

Internet Access should be configured to [bypass](https://support.perimeter81.com/docs/secure-web-gateway#bypass-rules) applications known to utilize certificate pinning. Applications can be bypassed using the following methods:

- Using the process name of the application
- A specific domain the application may be accessing
- A combination of the above methods.

To get the exact process name, do the following:

- **Windows**:

Open the Task Manager and search for the application. The Program name is under the **Details** tab.

![Windows SWG agent.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Windows%20SWG%20agent.png)

Copy the exact process name.
- **MacOS:**
  1. Go to Activity Monitor > Inspect selected process > Sample > Binary Images section > first item in the list.
  2. Open Finder > Applications > Show Package Contents > Contents/Info.plist > Grab the string after the CFBundleIdentifier key.
- **Linux:** Use this command:

> ps aux | grep app_name

Note that the application process name to be used for bypass rule should be only the binary name itself.

Here are some examples of applications which use Certificate Pinning and bypass criteria for them:

| Application | Program | Domain |
| --- | --- | --- |
| Adobe Suite (including Acrobat Reader, Creative Cloud and software updates) | N/A | Fill in these domain lists: [List 1](https://helpx.adobe.com/enterprise/kb/network-endpoints.html#main-pars_header_474584398), [List 2](https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/endpoints.html#feature-endpoints) |
| Apple's iMessages, iTunes, App Store, Mail | N/A | p24-keyvalueservice.icloud.com apps.apple.com itunes.apple.com mzstatic.com gs-loc.apple.com gsa.apple.com securemetrics.apple.com swscan.apple.com xp.apple.com ppq.apple.com akadns.net mail.me.com music.apple.com |
| AWS Console | N/A | console.aws.amazon.com docs.aws.amazon.com signin.aws.amazon.com fls-na.amazon.com cdn.assets.as2.amazonaws.com aws-signin-website-assets.s3.amazonaws.com opfcaptcha-prod.s3.amazonaws.com d1dgtfo2wk29o4.cloudfront.net images-na.ssl-images-amazon.com |
| Bitdefender | N/A | cdn.bitdefender.net download.bitdefender.com login.bitdefender.net login.bitdefender.com nimbus.bitdefender.net push.bitdefender.net upgrade.bitdefender.com |
| DropBox | Dropbox.exe DropboxUpdate.exe DbxSvc.exe com.getdropbox.dropbox com.getdropbox.dropbox.garcon com.getdropbox.dropbox.activityprovider com.getdropbox.dropbox.fileprovider | N/A |
| Evernote | evernote.exe | announce.evernote.com cd1.evernote.com evernote-a.akamaihd.net www.evernote.com |
| Google Drive | **Windows**: googledrivefs.exe **macOS**: com.google.drivefs com.google.drivefs.finderhelper.findersync | N/A |
| Google Services | N/A | alt2-mtalk.google.com android.clients.google.com www.google.com android.googleapis.com cryptauthenrollment.googleapis.com device-provisioning.googleapis.com digitalassetlinks.googleapis.com fcmconnection.googleapis.com fcmtoken.googleapis.com firebaseperusertopics-pa.googleapis.com play.googleapis.com semanticlocation-pa.googleapis.com lh3.googleusercontent.com play-lh.googleusercontent.com gstatic.com gvt1.com |
| Java Updates | N/A | sjremetrics.java.comm javadl-esd-secure.oracle.com |
| LogMeIn | logmein.exe | Fill in this [domain list](https://support.goto.com/webinar/help/optimal-firewall-configuration-g2w060025) |
| Microsoft Defender | N/A | Fill in this [domain list](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) |
| Microsoft Lync and Skype | N/A | lync.com az801095.vo.msecnd.net i.s-microsoft.com |
| Microsoft Office365 | Configure within Office365 under **Policy** > **URL & Cloud App Control** > **Advanced Settings** | For Outlook, add the following domains: <meta charset="utf-8">[office365.com](http://office365.com/), [office.net](http://office.net/), [office.com](http://office.com/) |
| Microsoft OneDrive | N/A | cdn.funcaptcha.com fpt.live.com odc.officeapps.live.com skyapi.policies.live.net signup.live.com skyapi.live.net pipe.aria.microsoft.com data.microsoft.com svc.ms msauth.net cdn.onenote.net |
| Microsoft Windows Store | N/A | eus-streaming-video-msn-com wns.windows.com live.com clientconfig.passport.net wustat.windows.com windowsupdate.com msftncsi.com microsoft.com |
| Microsoft Updates | N/A | settings-win.data.microsoft.com vortex-win.data.microsoft.com delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com update.microsoft.com sls.update.microsoft.com |
| Slack | **Windows**: slack.exe **macOS**: com.tinyspeck.slackmacgap com.tinyspeck.slackmacgap.helper | N/A |
| Spotify | N/A | spotify.com |
| Webex | atmrg.exe wmlhost.exe webexmta.exe washost.exe | webex.com |
| Zoom | **Windows**: zoom.exe **macOS**: us.zoom.xos | zoom.us |

## Default Bypass Rules

The Default Bypass rules prevent any potential issues caused by applications and web services that are known to experience certificate pinning.

Important:Traffic that matches a bypass rule is not inspected and is excluded from Internet Access Policy enforcement, Threat Prevention, and DLP controls. If your organization uses [Tenant Restrictions](/v1/docs/tenant-restrictions), some of the default bypass rules below may include domains that must be inspected for tenant restriction enforcement. Review your bypass rules and ensure they do not conflict with the required domains listed in the Tenant Restrictions configuration requirements.

To view the complete list of default Bypass Rules, go to **Web Security** > **Bypass Rules**.

| <meta charset="utf-8">Rule Name | Status | Source | Programs | Domains | Categories |
| --- | --- | --- | --- | --- | --- |
| Bypass Microsoft Teams - Pre-configured | Enabled | Any | com.microsoft.teams Teams.exe | N/A | N/A |
| Bypass sensitive traffic - Pre-configured | Disabled | Any | Any | N/A | Financial Services, Government, Health and Medicine, Legal |
| Bypass Microsoft Outlook - Pre-configured | Enabled | Programs | com.microsoft.Outlook.exe outlook.exe | N/A | N/A |
| Bypass Microsoft updates - Pre-configured | Enabled | Any | Any | settings-win.data.microsoft.com vortex-win.data.microsoft.com delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com update.microsoft.com sls.update.microsoft.com | N/A |
| Bypass Adobe updates - Pre-configured | Enabled | Any | Any | adobe.com adobetag.com | N/A |
| Bypass Java updates - Pre-configured | Enabled | Any | Any | sjremetrics.java.com javadl-esd-secure.oracle.com | N/A |
| Bypass Mozilla Firefox updates - Pre-configured | Enabled | Any | Any | download-installer.cdn.mozilla.net | N/A |
| Bypass AWS console - Pre-configured | Enabled | Any | Any | console.aws.amazon.com docs.aws.amazon.com signin.aws.amazon.com fls-na.amazon.com cdn.assets.as2.amazonaws.com aws-signin-website-assets.s3.amazonaws.com opfcaptcha-prod.s3.amazonaws.com d1dgtfo2wk29o4.cloudfront.net Images-na.ssl-images-amazon.com | N/A |
| Bypass Dropbox - Pre-configured | Enabled | Programs | Dropbox.exe DropboxUpdate.exe DbxSvc.exe com.getdropbox.dropbox com.getdropbox.dropbox.garcon com.getdropbox.dropbox.activityprovider com.getdropbox.dropbox.fileprovider | N/A | N/A |
| Bypass Google services - Pre-configured | Enabled | Any | Any | alt2-mtalk.google.com android.clients.google.com www.google.com android.googleapis.com cryptauthenrollment.googleapis.com device-provisioning.googleapis.com digitalassetlinks.googleapis.com fcmconnection.googleapis.com fcmtoken.googleapis.com firebaseperusertopics-pa.googleapis.com play.googleapis.com semanticlocation-pa.googleapis.com lh3.googleusercontent.com play-lh.googleusercontent.com gstatic.com gvt1.com | N/A |
| Bypass Google Drive – Pre-configured | Enabled | Programs | googledrivefs.exe com.google.drivefs com.google.drivefs.finderhelper.findersync | N/A | N/A |
| Bypass OneDrive - Pre-configured | Enabled | Any | Any | cdn.funcaptcha.com fpt.live.com odc.officeapps.live.com skyapi.policies.live.net signup.live.com skyapi.live.net pipe.aria.microsoft.com data.microsoft.com svc.ms msauth.net cdn.onenote.net | N/A |
| Bypass Goto [LogMeIn] - Pre-configured | Enabled | Any | Any | *.accounts.logme.in *.app.goto.com *.cdn.walkme.com *.cdngetgo.com *.clientstream.launchdarkly.com *.cloudfront.net *.expertcity.com *.filestackapi.com *.getgo.com *.getgocdn.com *.getgoservices.com *.getgoservices.net *.gofastchat.com *.goto.com *.goto.eu *.goto-rtc.com *.gotoinc.com *.gotostage.com *.gotowebinar.com *.ingest.sentry.io *.internap.net *.internapcdn.net *.joinwebinar.com *.launchdarkly.com *.logmein.com *.logmein.eu *.logmeininc.com *.psyjs-cdn.nuvixa.com *.psyjs-cdn.personify.live *.webinar.com api.filepicker.io builds.cdn.getgo.com builds.cdn.goto.com goto-desktop.s3.amazonaws.com launch.getgo.com meet.goto.com | N/A |
| Bypass Microsoft Lync and Skype - Pre-configured | Enabled | Any | Any | lync.com az801095.vo.msecnd.net i.s-microsoft.com | N/A |
| Bypass Apple services - Pre-configured | Enabled | Any | Any | p24-keyvalueservice.icloud.com apps.apple.com itunes.apple.com mzstatic.com gs-loc.apple.com gsa.apple.com securemetrics.apple.com swscan.apple.com xp.apple.com ppq.apple.com akadns.net mail.me.com music.apple.com configuration.apple.com gdmf.apple.com gg.apple.com gs.apple.com ig.apple.com mesu.apple.com oscdn.apple.com osrecovery.apple.com skl.apple.com swcdn.apple.com swdist.apple.com swdownload.apple.com updates-http.cdn-apple.com updates.cdn-apple.com | N/A |
| Bypass Bitdefender services - Pre-configured | Enabled | Any | Any | cdn.bitdefender.net download.bitdefender.com login.bitdefender.net login.bitdefender.com nimbus.bitdefender.net push.bitdefender.net upgrade.bitdefender.com | N/A |
| Bypass Zoom - Pre-configured | Enabled | Any | Zoom.exe com.zoom.video | N/A | N/A |
| Bypass Webex - Pre-configured | Enabled | Any | Any | webex.com | N/A |
| Bypass Spotify - Pre-configured | Enabled | Any | Any | spotify.com | N/A |
| Check Point Updates - HTTPS bypass | Enabled | Any | Any | avupdates.checkpoint.com secureupdates.checkpoint.com updates.checkpoint.com | N/A |
| Dashlane - HTTPS bypass | Enabled | Any | Any | dashlane.com *.dashlane.com | N/A |
| Facebook - HTTPS bypass | Disabled | Any | Any | *.facebook.com | N/A |
| Finch VPN - HTTPS bypass | Enabled | Any | Any | amber.finchapi.com www.finchvpn.com | N/A |
| MyQuickCloud - HTTPS bypass | Enabled | Any | Any | *.myquickcloud.com | N/A |
| Elster de - HTTPS bypass | Enabled | Any | Any | *.elster.de datenannahme1.elster.de datenannahme2.elster.de datenannahme3.elster.de datenannahme4.elster.de datenannahme5.elster.de datenannahme6.elster.de datenannahme7.elster.de datenannahme8.elster.de datenannahme9.elster.de datenannahme0.elster.de datenannahme.elster.de | N/A |