How do I use a custom certificate for SSL inspection?


How do I use a custom certificate for SSL inspection?

NOTE: Configuring a custom intermediate root certificate is one of the tasks you must complete when deploying SSL inspection. See How do I deploy SSL inspection? for the full list of steps. 

For an overview of the process that takes place when you configure a custom intermediate root certificate, see SSL Inspection Using a Custom Intermediate Root Certificate in About SSL Inspection

To configure the Zscaler service to use your organization's certificate during the SSL negotiations, follow the instructions below.

To generate the CSR, log in to the Zscaler service portal and do the following:

  1. Go to Policy > Web > SSL Inspection.
  2. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Generate New CSR to create a Certificate Signing Request (CSR).
  3. Fill out the CSR page as follows and click Save.
    • Enter a name for the certificate.
    • Enter the common name (Fully Qualified Domain Name (FQDN)) of your organization, such as zscaler.com.
    • Enter the name of your organization or company.
    • Enter the division or department name.
    • Enter the city, state and country where your organization is located. See image.
  4. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Download CSR.

 

Screenshot of Zscaler Generate Certificate Signing Request window for SSL inspection

After you download the CSR, send it to your CA for signing. Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.

NOTE: If you use OpenSSL, ensure that the following attributes are set during signing:

basicConstraints=CA:TRUE
keyUsage=keyCertSign, cRLSign

Click here to see an example of how the CSR can be signed using the Active Directory Certificate Services.

 

Optionally, you can upload the certificate chain that includes any other intermediate certificates that complete the chain to the intermediate root certificate you will upload. When you upload the certificate chain, the Zscaler service sends the intermediate root certificate along with this key chain and the signed server certificate to your users’ machines during SSL inspection. If you do not upload the certificate chain, the Zscaler service sends only your organization’s intermediate root certificate and its signed server certificate to the user’s machine. You can read more about the benefits of uploading the certificate chain in How Zscaler Protects SSL Traffic in About SSL Inspection

  1. Go to Policy > Web > SSL Inspection.
  2. In Intermediate Root Certificate Authority for SSL Interception > Chain Certificate, click Upload.
    The file must be in .pem format.

 

  1. In Intermediate Root Certificate Authority for SSL Interception > Custom Certificate, click Upload New Certificate.
  2. Click Save and activate the change.
  3. Ensure that your organization’s root certificate is installed on the browsers of your users. Browsers will trust the new intermediate certificate and any certificate signed by it. Note that if you upload a custom certificate that is invalid, for example,the common name in the certificate does not match, the Zscaler service will not use the Zscaler root certificate. Instead, it will continue to use the previously uploaded self-signed certificate.

 

After you've up loaded the intermediate root certificate, turn on Use Custom Certificate to enable the Zscaler service to begin using the certificate for SSL inspection.

Screenshot of Use Custom Certificate switch for Zscaler SSL inspection