icon-zpa.svg
Secure Private Access (ZPA)

About Enrollment (CA) Certificates

Watch a video about Enrollment Certificates

App Connectors, ZPA Private Service Edges, Private Cloud Controllers, and Zscaler Client Connector are issued certificates that are sent by an enrollment certificate. The enrollment certificate must be capable of acting as a certificate authority (CA) for processing certificate signing requests (CSRs).

Enrollment certificates provide the following benefits and allow you to:

  • Generate a new certificate by creating a CSR that is signed by your CA.
  • Manage the certificates that are presented to your users by App Connectors, ZPA Private Service Edges, Private Cloud Controllers, and Zscaler Client Connector.

You can upload an enrollment certificate to ZPA using one of the following workflows:

  • Use Zscaler-issued CA certificates

To use Zscaler-issued CA certificates for ZPA, generate certificates for Zscaler Client Connector, ZPA Private Service Edges, Private Cloud Controllers, and App Connectors using the ZPA Admin Portal, where the CA can be:

  • A Zscaler-issued root CA
  • An intermediate CA, where the root (i.e., parent) certificate is one of the preloaded ZPA CA certificates or another Zscaler-issued CA certificate

Make sure the same root certificate is used by the enrollment certificates for enrolling App Connectors, ZPA Private Service Edges, Private Cloud Controllers, and Zscaler Client Connector. If you are evaluating ZPA, Zscaler recommends that you use the preloaded ZPA certificates provided for expediency. When you deploy ZPA to your production environment, you can continue using these certificates or generate additional Zscaler-issued certificates as needed.

To learn more, see Understanding Preloaded Enrollment (CA) Certificates and Generating Zscaler-issued Enrollment (CA) Certificates.

  • Use your organization's CA certificates

To use your organization's CA certificates for ZPA:

  1. Create CSRs for Zscaler Client Connector, ZPA Private Service Edges, Private Cloud Controllers, and App Connectors using the ZPA Admin Portal.
  2. Sign the CSRs using your organization's signing CA, which can be a root or intermediate CA. This results in the CSRs becoming signed certificates.
  3. Upload the signed certificates using the ZPA Admin Portal.

ZPA must verify the chain of trust for the uploaded signed certificates. So, every certificate must be present in the chain of trust, starting from the signed certificates created in step 2 up to and including the root CA certificate.

You only need to upload the certificate chain of trust once.

You can upload the certificate chain using one of the following methods:

  • Method 1: Prepend the certificate chain to each signed certificate prior to uploading them to ZPA.
  • Method 2: Upload the signed certificates and the certificate chain corresponding to each, separately.

To learn more, see Creating Certificate Signing Requests for Enrollment (CA) Certificates and Uploading Enrollment (CA) Certificates and the Certificate Chain.

About the Enrollment Certificates Page

On the Enrollment Certificates page (Configuration & Control > Certificate Management > Enrollment Certificates), you can do the following:

  1. Generate a Zscaler-issued enrollment (CA) certificate.
  2. Upload a certificate chain.
  3. Create a CSR for an enrollment (CA) certificate.
  4. Expand all of the rows in the table to see more information about each enrollment (CA) certificate.
  5. View a list of all signing certificates used for enrollment that are configured for your organization, as well as the preloaded enrollment (CA) certificates provided by Zscaler. For each certificate, you can see:
    • Name: The name of the certificate. A Zscaler Client Connector icon (Zscaler Client Connector Enrollment Certificate Icon) is displayed next to the name if it is being used as a signing certificate for certificates issued to clients enrolling in Zscaler Client Connector. An Isolation Client icon (Isolation Client Enrollment Certificate Icon) is displayed next to the name if it is being used as a signing certificate for isolation clients.
      • Description: The certificate's description, if available.
      • Parent Certificate: The parent certificate for the signing certificate, if any.
      • Issued By: The CA that issued the certificate.
      • Issued To: The entity that the CA issued the certificate to.
    • Creation Date: The creation date of the certificate.
    • Expiry Date: The expiration date of the certificate.
    • Common Name: The CN for the hostname associated with the certificate.

Depending on the Expiry Date, the following icons are displayed next to the Name:

  • If the certificate has expired, a red warning icon is displayed.
  • If the certificate has less than 7 days before expiration, a yellow caution icon is displayed.
  • If the certificate has less than 30 days before expiration, an orange info icon is displayed.
  1. Download the CSR file for enrollment certificate.
  2. Upload a signed certificate.
  3. Edit an existing enrollment (CA) certificate.
  4. Delete an enrollment (CA) certificate.
  5. Go to the Certificates page to view and manage Browser Access (i.e., web server) certificates.
  6. Go to the Root Certificates for Isolation page to view and manage root certificates associated with the isolation profiles.

Enrollment Certificates page within the ZPA Admin Portal

Related Articles
About Enrollment (CA) CertificatesUnderstanding Preloaded Enrollment (CA) CertificatesGenerating Zscaler-Issued Enrollment (CA) CertificatesCreating Certificate Signing Requests for Enrollment (CA) CertificatesUploading Enrollment (CA) Certificates and the Certificate ChainEditing Enrollment (CA) Certificates