If you have SSL inspection enabled, whenever a user attempts to access an HTTPS site, the Zscaler service intercepts the HTTPS request, and through a separate SSL tunnel, sends its own HTTPS request to the destination server. During the SSL handshake with the destination server, the Zscaler service verifies the status of the destination server certificate. The destination server certificate is considered untrusted by the service if it meets one or more of the following conditions:
When the server certificate is untrusted, you have the option to Allow, Pass Through, or Block the user’s transaction. See image below.
You may want to select the Pass Through or Block options generally so that users are warned against or blocked from accessing sites with untrusted certificates. But there may also be specific sites that you trust – sites whose certificates you don’t need verified by the Zscaler service, and which you want users to access without any issues. In such scenarios, you can specify that the service skip decryption for those sites. This way, you can still warn users against or block sites with untrusted certificates in general, but allow users to access specific trusted sites without issues. For instructions, see How do I skip inspection for traffic to specific URLs or cloud apps? The Zscaler service will not decrypt transactions to sites you add in this field.