Signing a CSR Using the Active Directory Certificate Services


Signing a CSR Using the Active Directory Certificate Services

When you configure a custom intermediate root certificate for SSL Inspection, you must generate and download a certificate signing request (CSR) in the Admin Portal, then send the CSR to a certificate authority (CA) for signing.  Ensure that the CSR is signed as a subordinate CA or intermediate CA.

Below is a configuration example showing how the CSR can be signed using the Active Directory Certificate Services using Certreq.exe. To learn more about Certreq, see the Microsoft technical documentation.

  1. Generate a certificate signing request. To learn how to do this, see How do I generate a Certificate Signing Request (CSR) for SSL Inspection? For this example, the downloaded file will be named zscalerdemo.csr
  2. Open an elevated command prompt
    1. Enter cmd in the search bar
    2. Press CTRL +  SHIFT + ENTER
    3. A dialog prompt will appear asking if you want to run the program as an administrator. Select Yes to open an elevated command prompt
  3. Enter the following command: certreq -submit -attrib "CertificateTemplate:SubCA" zscalerdemo.req zscalerdemo.cer
  4. From the dialog box, choose the desired certificate authority
  5. Press OK
  6. The issued certificate will be saved as zscalerdemo.cer so long as you have domain administrator access permissions. Navigate to the certificate that you saved and change the certificate file name so it has a .pem extension. For example, zscalerdemo.pem. The Zscaler service only accepts certificates with the .pem extension.