Configuration Example: Signing a CSR using the Active Directory Certificate Services

When you configure a custom intermediate root certificate for SSL inspection, you must generate and download a CSR in the admin portal, then send the CSR to your certificate authority (CA) for signing.  Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.

Below is a configuration example showing how the CSR can be signed using the Active Directory Certificate Services.

  1. On the Windows server, navigate to the Certification Authority.
  2. Select the organization, and go to Action > All Tasks > Submit new request.
  1. In the Open Request File window, navigate to your CSR and click Open.
  1. Double-click Pending Requests. 
  2. Select your newly submitted request, right click, and then go to All Tasks > Issue.
  1. Go to Issued Certificates and double-click the newly issued certificate to select the certificate.
  2. When the new certificate appears, click the Details tab and click Copy to File.
  1. When the Certificate Export Wizard appears, click Next.
  2. For the Export File Format, select Base-64 encoded X.509 and click Next.
  1. Browse the certificate you want to export and then click Next.
  2. Click Finish to exit the Wizard.
  3. Navigate to the certificate that you downloaded and change the certificate file name so it has a .pem extension. For example, zscalerdemo.pem. The Zscaler service accepts certificates with the .pem extension only.