Certificate pinning is a security mechanism where an application is configured to trust only a specific server certificate. When Zscaler Internet Access (ZIA) performs SSL inspection, it presents its own certificate to the client application, which is signed by the Zscaler root CA. A certificate-pinned application will reject this certificate because it does not match the "pinned" one, causing the TLS/SSL connection to fail. The Zscaler administrator can diagnose this by reviewing the Web Insights SSL logs, where this event will be recorded as a "Failed Client Handshake," indicating the client application terminated the connection.

B. Rebooting the endpoint is a generic troubleshooting step that will not resolve the fundamental certificate mismatch caused by pinning.

C. The ZIA Web Policy is used to define access rules, not to diagnose TLS/SSL handshake failures at the protocol level.

D. The SaaS application analytics tab provides high-level insights into application usage and risk, not detailed connection-level error logs.

1. Zscaler Help Portal

"Troubleshooting Certificate Pinned Applications": "When Zscaler SSL inspection is enabled

certificate-pinned applications break because the Zscaler root certificate is not the pinned certificate." This document establishes that the application will fail due to the certificate mismatch

a failure that is logged. The solution described (bypassing SSL inspection) is what an administrator would do after identifying the failure in the logs.

2. Zscaler Help Portal

"Web Insights Logs: Columns": The documentation for Web Insights Logs details the "SSL Error" column. This column provides specific information about SSL handshake failures

including errors like "Failed Client Handshake

" which is the direct indicator of a certificate pinning issue when SSL inspection is active.

3. Zscaler Help Portal

"About SSL Inspection": "Some applications and websites use a technique called certificate pinning... If you enable SSL inspection for traffic to these sites or applications

the Zscaler service will be unable to decrypt the traffic

and users will not be able to access them." This confirms that the failure is an expected outcome of inspecting pinned traffic

and the logs are the tool to observe this failure.