icon-unified.svg
Experience Center

About Deploying Private Service Edges for Private Applications

After you add a Private Service Edge, you must deploy it. Deployment consists of installing and enrolling the Private Service Edge, which allows it to obtain a TLS client certificate that it must use to authenticate itself to the cloud. After deployment, the Private Service Edge is ready to securely connect users to App Connectors and applications.

Understanding Private Service Edge Enrollment

When a Private Service Edge is installed for the first time, it does not yet have a key pair (i.e., a local private key and a corresponding TLS client certificate). Instead, the Private Service Edge must first generate the local private key, which it encrypts using a hardware fingerprint. Then, the Private Service Edge must obtain the TLS client certificate through enrollment, which consists of the following processes:

  • The Private Service Edge uses the local private key to generate a Certificate Signing Request (CSR).
  • It uses the provisioning key to authenticate the CSR to the cloud. This is the provisioning key that you generated in the Admin Portal and provided to the Private Service Edge during installation.
  • It receives a signed TLS client certificate from the cloud.
  • The signed TLS client certificate is pinned to the Private Service Edge's hardware fingerprint.

Once the Private Service Edge is enrolled, it is paired with a single customer account and it cannot be enrolled again. Private Service Edges that are running in virtual machine (VM) environments should never be cloned, because the keys will no longer match the virtual hardware fingerprints.

Deploying a Private Service Edge on a Supported Platform

Before you begin a deployment, read Private Service Edge Deployment Prerequisites, which provides detailed information on VM image sizing and scalability, supported platform requirements, deployment best practices, and other essential guidelines.

The deployment process differs depending on the platform used for the Private Service Edge. Zscaler recommends that Private Service Edges be deployed in pairs, to ensure continuous availability during software upgrades. To learn more, see the Deployment Guide for the platform.

Related Articles
About Deploying Private Service Edges for Private ApplicationsPrivate Service Edge Deployment Prerequisites for Private ApplicationsPrivate Service Edge Software by PlatformPrivate Service Edge Deployment Guide for Amazon Web ServicesPrivate Service Edge Deployment Guide for DockerPrivate Service Edge Deployment Guide for Google Cloud PlatformPrivate Service Edge Deployment Guide for LinuxPrivate Service Edge Deployment Guide for Microsoft AzurePrivate Service Edge Deployment Guide for VMware PlatformsRed Hat Enterprise Linux 9 Migration for Private Service EdgesDisabling Password Expiration for STIG-Hardened Private Service Edge ImagesNetworking Deployed Private Service Edges