Updated on April 18, 2024

Creating a Custom Certificate Pinned Application

Creating a Custom Certificate Pinned Application

If you want to bypass web traffic from certain applications from the Netskope cloud, you can add them as a custom certificate pinned application.

To create a custom certificate pinned application:

  1. Go to Settings > Security Cloud Platform > App Definition.
  2. Click the Certificate Pinned Apps tab.
  3. Click New Certificate Pinned App.
  4. In the New Certificate Pinned Application window:
    • Application Name: Enter a name for the certificate pinned application.
    • Platform: Choose the operating system platform for this application. If this application is available on multiple platforms, click +Add Platform to add more definitions. Ensure you use:
      • Domain-based configuration for Android 9 or lower.
      • Process-based configuration for Android 10 or higher.
    • Definition: Enter the applicable program files of the application. You can add the definitions in the following format:
      • Exact: Enter the exact process name for matching. You can enter multiple entries separated by commas. Netskope doesn’t support input quotes or the absolute path. Enter only the process name, such as googleefs.exe.
      • RegEx: Enter the Perl Compatible Regular Expression (PCRE) to use wildcard formats for process names such as python*.exe or ^([a-zA-Z0-9_-]+).exe. You can enter multiple entries separated by commas. To learn more about regex supported formats and examples: Supported Regex.

        You also can use the nsdiag -x command to verify if the string matches the regular expressions:

        nsdiag -x <regular expression> <string to match>

        Following are some examples:

        ^client[0-9].google.com will match "client1.google.com"
C:Program Files (x86)NetskopeSTAgent>nsdiag -x "^client[0-9].google.com" "client1.google.com"
Matched

^sgr[d]{1,3}.apple.com will match sgr0.apple.com
C:Program Files (x86)NetskopeSTAgent>nsdiag -x "^sgr[d]{1,3}.apple.com" "sgr0.apple.com"
Matched

pythond.d.exe will match python3.0.exe
C:Program Files (x86)NetskopeSTAgent>nsdiag -x "pythond.d.exe" "python3.0.exe"
Matched

(chrome)d+(?:.d+){2}.exe will match chrome1.1.1.exe
C:Program Files (x86)NetskopeSTAgent>nsdiag -x "(chrome)d+(?:.d+){2}.exe" "chrome1.1.1.exe"
Matched

b(w+)s1b will match "is is"
e.g C:Program Files (x86)NetskopeSTAgent>nsdiag -x "b(w+)s1b" "is is"
Matched
    The New Certificate Pinned Application window for Exceptions under Steering Configuration.
  5. Click Save.

After creating your custom certificate pinned app, you can add it as an exception for your steering configuration.

Configuring Steering Configuration Exceptions from Certificate-Pinned Applications

Use Steering Config Exceptions option to apply created Certificate-pinned applications to steering configurations directly from Certificate-Pinned app without navigating to the Steering Configuration webUI. This functionality simplifies and reduces the steps to apply certificate-pinned application exceptions across multiple steering configurations.

With this option, you can:

  • Direct assignment of steering configuration to a Certificate-Pinned application.

  • Modify exceptions options and Advanced options directly from the steering configurations using the Action column.

  • View the certificate-pinned apps configured for each steering configuration.

You can use either one of the following methods to add steering configuration exceptions:

  • From Certificate-Pinned Application UI.

  • Directly after creating a new Certificate-Pinned Application.

From Certificate-Pinned Application User Interface(UI)

To configure steering exception configuration from Certificate-Pinned Apps:

  1. Click the ellipsis() for a configuration where you want to add the steering configuration exception.

  2. Click Steering Config Exceptions.

  3. This displays the Steering Config Exceptions screen.

  4. Add or modify exceptions from the Action column. Click the edit icon and it navigates to the New Exceptions window. For steering configurations where the actions are already set, it navigates to the Edit Exception window.

After Creating a New Certificate-Pinned Application

After you create a new Certificate -Pinned Application, the screen displays a successful message and an option to edit the steering config exception to bypass it. This navigates you to the Steering Config Exception screen that allows you to configure the exception as described in the previous section.

Filter Steering Configurations

Steering Configuration Exceptions also gives you the ability to filter steering configurations with one of the following:

  • Dynamic Steering

  • Actions

To use the filter options:

  1. Click +Add Filter to view search results based on the options that you choose in the filter:

  2. Click Dynamic Steering to display steering configurations with dynamic steering enabled. Choose one of the following dynamic steering options:

    • Off

    • On-Premise

    • Off-Premise

      The steering configurations with dynamic steering enabled displays On-Premises or Off-Premises in brackets next to the steering configuration name. If you want to view steering configurations without dynamic steering, choose Off.

      You can only filter steering configurations with dynamic steering enabled. You cannot apply or enable dynamic steering to a steering configuration. Go to Steering Configuration to do so.

  3. Click Actions to filter steering configurations with one of the following:

  • Bypass

  • Block

  • Mixed

  • Not Configured

Share this Doc

Creating a Custom Certificate Pinned Application

Or copy link

In this topic ...