icon-unified.svg
Experience Center

About Enrollment (CA) Certificates

App Connectors, Private Service Edges, and Zscaler Client Connector are issued certificates that are sent by an enrollment certificate. The enrollment certificate must be capable of acting as a certificate authority (CA) for processing certificate signing requests (CSRs).

Enrollment certificates provide the following benefits and allow you to:

  • Generate a new certificate by creating a CSR that is signed by your CA.
  • Manage the certificates that are presented to your users by App Connectors, Private Service Edges, and Zscaler Client Connector.

You can upload an enrollment certificate using one of the following workflows:

  • Use Zscaler-issued CA certificates

You would generate certificates for Zscaler Client Connector, Private Service Edges, and App Connectors using the Admin Portal, where the CA can be:

  • A Zscaler-issued root CA
  • An intermediate CA, where the root (i.e., parent) certificate is one of the preloaded CA certificates or another Zscaler-issued CA certificate

Make sure the same root certificate is used by the enrollment certificates for enrolling App Connectors, Private Service Edges, and Zscaler Client Connector.
If you are evaluating , Zscaler recommends that you use the preloaded certificates provided for expediency. When you deploy Private Applications to your production environment, you can continue using these certificates or generate additional Zscaler-issued certificates as needed.

To learn more, see Understanding Preloaded Enrollment (CA) Certificates and Generating Zscaler-issued Enrollment (CA) Certificates.

  • Use your organization's CA certificates

You would:

  1. Create CSRs for Zscaler Client Connector, Private Service Edges, and App Connectors using the Admin Portal.
  2. Sign the CSRs using your organization's signing CA, which can be a root or intermediate CA. This results in the CSRs becoming signed certificates.
  3. Upload the signed certificates using the Admin Portal.

Private Applications must verify the chain of trust for the uploaded signed certificates. So, every certificate must be present in the chain of trust, starting from the signed certificates created in step 2 up to and including the root CA certificate.

You only need to upload the certificate chain of trust once.

You can upload the certificate chain using one of the following methods:

  • Method 1: Prepend the certificate chain to each signed certificate prior to uploading them.
  • Method 2: Upload the signed certificates and the certificate chain corresponding to each, separately.

To learn more, see Creating Certificate Signing Requests for Enrollment (CA) Certificates and Uploading Enrollment (CA) Certificates and the Certificate Chain.

About the Enrollment Certificates Page

On the Enrollment Certificates page (Infrastructure > Private Access > Component > Enrollment Certificates), you can do the following:

  1. Generate a Zscaler-issued enrollment (CA) certificate.
  2. Upload a certificate chain.
  3. Create a CSR for an enrollment (CA) certificate.
  4. Expand all of the rows in the table to see more information about each enrollment (CA) certificate.
  5. View a list of all signing certificates used for enrollment that are configured for your organization, as well as the preloaded enrollment (CA) certificates provided by Zscaler. For each certificate, you can see:
    • Name: The name of the certificate. A Zscaler Client Connector icon (Zscaler Client Connector Enrollment Certificate Icon) is displayed next to the name if it is being used as a signing certificate for certificates issued to clients enrolling in Zscaler Client Connector. An Isolation Client icon (Isolation Client Enrollment Certificate Icon) is displayed next to the name if it is being used as a signing certificate for isolation clients.
      • Description: The certificate's description, if available.
      • Parent Certificate: The parent certificate for the signing certificate, if any.
      • Issued By: The CA that issued the certificate.
      • Issued To: The entity that the CA issued the certificate to.
    • Creation Date: The creation date of the certificate.
    • Expiry Date: The expiration date of the certificate.
    • Common Name: The CN for the hostname associated with the certificate.

Depending on the Expiry Date, the following icons are displayed next to the Name:

  • If the certificate has expired, a red warning icon is displayed.
  • If the certificate has less than 7 days before expiration, a yellow caution icon is displayed.
  • If the certificate has less than 30 days before expiration, an orange info icon is displayed.
  1. Download the CSR file for enrollment certificate.
  2. Upload a signed certificate.
  3. Edit an existing enrollment (CA) certificate.
  4. Delete an enrollment (CA) certificate.

Related Articles
About Enrollment (CA) CertificatesUnderstanding Preloaded Enrollment (CA) CertificatesGenerating Zscaler-Issued Enrollment (CA) CertificatesCreating Certificate Signing Requests for Enrollment (CA) CertificatesUploading Enrollment (CA) Certificates and the Certificate ChainEditing Enrollment (CA) Certificates