When you configure a custom intermediate root certificate for SSL inspection, you must generate and download a CSR in the admin portal, then send the CSR to your certificate authority (CA) for signing. Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.
Below is a configuration example showing how the CSR can be signed using the Active Directory Certificate Services.
- On the Windows server, navigate to the Certification Authority.
- Select the organization, and go to Action > All Tasks > Submit new request.
- In the Open Request File window, navigate to your CSR and click Open.
- Double-click Pending Requests.
- Select your newly submitted request, right click, and then go to All Tasks > Issue.
- Go to Issued Certificates and double-click the newly issued certificate to select the certificate.
- When the new certificate appears, click the Details tab and click Copy to File.
- When the Certificate Export Wizard appears, click Next.
- For the Export File Format, select Base-64 encoded X.509 and click Next.
- Browse the certificate you want to export and then click Next.
- Click Finish to exit the Wizard.
- Navigate to the certificate that you downloaded and change the certificate file name so it has a .pem extension. For example, zscalerdemo.pem. The Zscaler service accepts certificates with the .pem extension only.