Certificate Pinned App (CPA)

  • 14 January 2023
  • 0 replies

Userlevel 3
Badge +13
  • Netskope Employee
  • 8 replies

This is an extension to my last post on Network Tunnels and SSL DND Policies .


Netskope has powerful feature called Certificated Pinned Applications; we will call it CPA for brevity here.


A CPA app definition can help you tie in a process with their domains thereby allowing you to limit the scope of bypasses. When you call a CPA into a steering exception you are no longer allowing a whole domain to bypass, just the ones tied to CPA app definition! CPA app definition needs to be called into individual steering configurations further limiting the user groups that they are tied to.


Only the processes that call the respective domains tied to those apps specified will be limited to bypassing those domains.


Another critical use case: If you are concerned about IP restrictions and unable to allow Netskope New Edge consolidated list of IP's, define a CPA and associate to their domains. Call CPA in the steering config. This will allow traffic from that process to go DIRECT (out of your egress firewall not over Netskope's New Edge DTLS or TLS tunnel).


You can use FQDNs or enter a * as a wildcard under custom domains on CPA. Subdomains of the main FQDN are honored. Not a good practice to use wildcard unless you are using it for a quick fix. E.g.  the vendor of that process hasn't shared all the domains the process will communicate with. A wildcard will allow that CPA to continue to work to any domain called by that process. A quick and handy fix during the initial phase 0 of the deployment!


(Note: If you are unable to enter a wildcard "*" under CPA contact support or your Netskope representative to enable Enhanced Certificate Pinned App feature. This is behind a feature flag and some tenants may have this flag disabled).


There are a few factory defined CPAs that will get updated with new releases based on Netskope's app knowledge. You can add or remove those CPA's from the steering.


To make life easier managing the exceptions: All factory defined and custom CPA's are in a central location now (as of release today, tenant UI path below).


Settings > Security Cloud Platform > App Definition > Certificate Pinned Apps


Tips: 🔵🔵🔵

  • Multiple processes in one CPA:

Multiple processes can be added to one CPA app definition. Multiple platforms (e.g. Windows, Macbooks) are supported. Add processes comma separated and all lower cases (screeshot CPA5.png). Space after comma not required.

  • How to distinguish between a custom CPA and factory built CPA?

-A CPA that is enclosed in square brackets is a custom CPA. This will help you distinguish between factory CPA and custom CPA's you have defined.

  • If you are already in production enable the Custom Domains during change window

-Once a CPA has been configured CPA changes should be done during change window

-Unless you add the required domains or wildcard any CPA changes can have an impact to that app.

  • Limit the proliferation

-With great power comes great responsibility. Be cognizant that creating CPA means if a malicious user has admin privilege to create a process, that user can rename a process to match with CPA app definition and get around Netskope tunnel. In other words: Do not reveal CPA app definition to larger user base.

0 replies

Be the first to reply!