Pinned Certificates


when we first deployed Cloudflare Teams, the Gateway HTTP policies contained a pre-defined rule that would turn of SSL decryption for about 100 apps or so. All apps that use pinned certificates.

Question: Is this list automatically and dynamically updated by Cloudflare or do we have to maintain this ourselves (when we find pinned cert website that need to be exempt deom decryption)?

A little from column A and a little from column B. If you have the ‘All’ option selected in the rule then it should pick up new entries as Cloudflare adds them. If you have deselected the ‘all’ because you wish to be selective about what you add, net new entries wouldn’t be added automatically.

Also you can provide feedback in the app for apps you find and you can create a DNI rule for the hosts associated with it. Cloudflare may choose to add it to the list it maintains, but there are a lot of apps out there and not necessarily every app that uses Cert pining is one where either Cloudflare has enough data or it may be an app that the average company might not want to allow (e.g. if you find a questionable content app that used cert pinning it is somewhat unlikely we’d add it to the list).

1 Like

Hey @cscharff, thanks for that. One more question, if you don’t mind:

Which “All” option are you referring to? I am not seeing any option that says “All”. This is what the rule looks like (we didn’t change it and left everything at the default):

Yes sorry in the UX while you are building a rule you can deselect individual elements in which case the list becomes the components rather than the parent object which you have selected (all) instead of individual apps (from list).

Got it. I think. So as long as I have the main category selected (“Do Not Decrypt”) I should be fine.


1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.