How do I use a custom certificate for SSL inspection?
For an overview of the process that takes place when you configure a custom intermediate root certificate, see SSL Inspection Using a Custom Intermediate Root Certificate in How does Zscaler protect SSL traffic?
To configure a custom certificate:
Complete the following tasks to configure the Zscaler service to use your organization’s certificate during the SSL negotiations:
Generating the CSR
To generate the CSR, log in to the Zscaler service portal and do the following:
A. Go to Policy> Web > SSL Inspection.
B. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Generate New CSR to create a Certificate Signing Request (CSR).
C. Fill out the CSR page as follows and click Save.
- Enter a name for the certificate.
- Enter the distinguished name of your organization, such as zscaler.com.
- Enter the name of your organization or company.
- Enter the division or department name.
- Enter the city, state and country where your organization is located.
- Choose the size of the hash for the SHA (Secure Hash Algorithm).
D. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Download CSR.
Signing the CSR
After you download the CSR, send it to your CA for signing. Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.
NOTE: If you use OpenSSL, ensure that the following attributes are set during signing:
basicConstraints=CA:TRUE keyUsage=keyCertSign, cRLSign
Click here to see an example of how the CSR can be signed using the Active Directory Certificate Services.
Upload Chain Certificate
Optionally, you can upload the certificate chain that includes any other intermediate certificates that complete the chain to the intermediate root certificate you will upload.When you upload the certificate chain, the Zscaler service sends the intermediate root certificate along with this key chain and the signed server certificate to your users’ machines during SSL inspection. If you do not upload the certificate chain, the Zscaler service sends only your organization’s intermediate root certificate and its signed server certificate to the user’s machine. You can read more about the benefits of uploading the certificate chain in How does Zscaler protect SSL traffic?
- Go to Policy > Web > SSL Inspection.
- In Intermediate Root Certificate Authority for SSL Interception > Chain Certificate, click Upload.
The file must be in .pem format.
Upload the Certificate to the Service
- In Intermediate Root Certificate Authority for SSL Interception > Custom Certificate, click Upload New Certificate.
- Click Save and activate the change.
- Ensure that your organization’s root certificate is installed on the browsers of your users. Browsers will trust the new intermediate certificate and any certificate signed by it. Note that if you upload a custom certificate that is invalid, for example,the common name in the certificate does not match, the Zscaler service will not use the Zscaler root certificate. Instead, it will continue to use the previously uploaded self-signed certificate.