icon-unified.svg
Experience Center

Generating Zscaler-Issued Enrollment (CA) Certificates

A CA certificate is required for enrolling Zscaler Client Connector, enrolling AppProtection-enabled application segments, and when configuring an App Connector and configuring a Private Service Edge for enrollment. Enrollment certificates differ from web server certificates. Web server certificates provide access to web applications. To learn more, see About Enrollment (CA) Certificates.

Zscaler recommends creating a CA certificate for Zscaler Client Connector, another certificate for App Connectors, and a third for Private Service Edges. If you have AppProtection enabled, you need to create an additional CA certificate.

To generate a Zscaler-issued enrollment (CA) certificate:

  1. Go to the Enrollment Certificates page (Infrastructure > Private Access > Component > Enrollment Certificates).
  2. Click Generate Certificate.

The Generate Enrollment Certificate window appears.

  1. In the Generate Enrollment Certificate window:
    • Name: Enter a name for the certificate. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
    • Description: (Optional) Enter a description.
    • Type: Select one of the following options:
      • Root CA: Select this option if you want to use a root certificate authority.
      • Intermediate CA: Select this option if you want to use an intermediate certificate authority.

For Intermediate CA, select a Parent Certificate, which can be a preloaded certificate or another Zscaler-issued certificate.

  • Client Certificate Type: Select one of the following options:
    • None: Select this option if you are using this enrollment (CA) certificate to enroll App Connectors or Private Service Edges.
    • Client Connector: Select this option to use this enrollment (CA) certificate to enroll Zscaler Client Connector.
    • Isolation Client: Select this option to use this enrollment (CA) certificate for to enroll Isolation clients.
    • AppProtection CA: Select this option to use this enrollment (CA) certificate to enroll AppProtection-enabled application segments. If there is an existing CA certificate and you create a new AppProtection CA certificate, it replaces the previous AppProtection CA certificate.

Enrollment Certificates page with Generate Certificate page within the ZPA Admin Portal

  1. Click Generate.
Related Articles
About Enrollment (CA) CertificatesUnderstanding Preloaded Enrollment (CA) CertificatesGenerating Zscaler-Issued Enrollment (CA) CertificatesCreating Certificate Signing Requests for Enrollment (CA) CertificatesUploading Enrollment (CA) Certificates and the Certificate ChainEditing Enrollment (CA) Certificates