Configuration Example: Signing a CSR using the Active Directory Certificate Services


Configuration Example: Signing a CSR using the Active Directory Certificate Services

When you configure a custom intermediate root certificate for SSL inspection, you must generate and download a CSR in the admin portal, then send the CSR to your certificate authority (CA) for signing.  Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.

Below is a configuration example showing how the CSR can be signed using the Active Directory Certificate Services.

  1. On the Windows server, navigate to the Certification Authority.
  2. Select the organization, and go to Action > All Tasks > Submit new request.

Screenshot of the Certification Authority Submit new request option

  1. In the Open Request File window, navigate to your CSR and click Open.

Screenshot of the Open Request File window

  1. Double-click Pending Requests. 
  2. Select your newly submitted request, right click, and then go to All Tasks > Issue.

Screenshot of Pending Requests folder

  1. Go to Issued Certificates and double-click the newly issued certificate to select the certificate.
  2. When the new certificate appears, click the Details tab and click Copy to File.

Screenshot of Certificate window Details tab

  1. When the Certificate Export Wizard appears, click Next.
  2. For the Export File Format, select Base-64 encoded X.509 and click Next.

Screenshot of Certificate Export Wizard Export File Format

  1. Browse the certificate you want to export and then click Next.
  2. Click Finish to exit the Wizard.
  3. Navigate to the certificate that you downloaded and change the certificate file name so it has a .pem extension. For example, zscalerdemo.pem. The Zscaler service accepts certificates with the .pem extension only.

Screenshot of Certificate Export Wizard File to Export