NOTE: Configuring a custom intermediate root certificate is one of the tasks you must complete when deploying SSL inspection. See How do I deploy SSL inspection? for the full list of steps.
For an overview of the process that takes place when you configure a custom intermediate root certificate, see SSL Inspection Using a Custom Intermediate Root Certificate in About SSL Inspection.
To configure the Zscaler service to use your organization's certificate during the SSL negotiations, follow the instructions below.
To generate the CSR, log in to the Zscaler service portal and do the following:
After you download the CSR, send it to your CA for signing. Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.
NOTE: If you use OpenSSL, ensure that the following attributes are set during signing:
basicConstraints=CA:TRUE keyUsage=keyCertSign, cRLSign
Click here to see an example of how the CSR can be signed using the Active Directory Certificate Services.
Optionally, you can upload the certificate chain that includes any other intermediate certificates that complete the chain to the intermediate root certificate you will upload. When you upload the certificate chain, the Zscaler service sends the intermediate root certificate along with this key chain and the signed server certificate to your users’ machines during SSL inspection. If you do not upload the certificate chain, the Zscaler service sends only your organization’s intermediate root certificate and its signed server certificate to the user’s machine. You can read more about the benefits of uploading the certificate chain in How Zscaler Protects SSL Traffic in About SSL Inspection.