Overview

This guide details the step-by-step process for updating the certificate used by Zscaler Private Access in the Zscaler Admin Portal. The certificate is sourced from Azure Application Services and exported from Azure Key Vault. The process includes converting the certificate from a .pfx file to a .pem file using OpenSSL and then uploading the new certificate into the ZPA configuration.

Prerequisites

  • Administrative Access: Ensure you have the necessary administrative credentials for the Zscaler Admin Portal.
  • Certificate File: A valid certificate (.pfx) exported from Azure Application Services via Azure Key Vault.
  • OpenSSL Installed: OpenSSL must be installed on your workstation to convert the certificate file.



Step-by-Step Process

1. Obtain and Export the Certificate from Azure

  • Export Certificate:
     Export the certificate from Azure Application Services using Azure Key Vault. Confirm that the exported .pfx file contains the certificate along with the private key and any necessary intermediate certificates.

2. Convert the Certificate from PFX to PEM Format

  • OpenSSL Command:
     Use the following command example in a command prompt or terminal to convert the .pfx certificate file to a .pem file:

openssl.exe pkcs12 -in c:\Certs\keeleyproductionkeyvault-starkeeleycompaniescom.pfx -out c:\Certs\zpa_cert.pem -nodes

    • The -nodes flag ensures that the private key in the PEM file is not encrypted.

3. Validate the Converted PEM File

  • File Check:
     Open the zpa_cert.pem file in a text editor and confirm that it contains:
    • The certificate block.
    • The private key block.
    • Any required intermediate certificates (if applicable).

4. Log into the Zscaler Admin Portal

  • Access the Portal:
     Open your preferred web browser and navigate to the Zscaler Admin Portal.
  • Sign In:
     Log in with your administrative credentials.

5. Navigate to Certificate Management

  • Locate Settings:
     Within the Admin Portal, go to the section where certificates are managed. This is typically under:
    • Administration
    • Look for a section labeled “Certificates

6. Upload the New PEM Certificate

  • Initiate Certificate Update:
     Select the option to update or replace the existing certificate.
  • Upload Process:
    • Click on the "Upload" or "Browse" button.
    • Select the zpa_cert.pem file from its saved location.
    • Follow any on-screen instructions to complete the upload.
  • Configuration Association:
     Ensure the new certificate is properly associated with the ZPA configuration for your internal applications.

7. Apply and Confirm Changes

  • Apply Changes:
     Confirm the update, and if prompted, follow instructions to restart services or apply the changes.
  • Verify Update:
     Check the certificate details displayed in the Admin Portal to ensure the new certificate is active.

8. Verification and Testing

  • Functionality Test:
     Test access to the published internal applications to ensure they are properly using the updated certificate.
  • Monitor Logs:
     Use the ZPA logs or diagnostic tools available within the portal to verify that there are no errors or SSL/TLS handshake issues.

9. Documentation and Renewal Planning

  • Record Details:
     Document the following details:
    • Certificate issuance and expiration dates.
    • The process steps taken for future reference.
  • Set Reminders:
    Schedule reminders for certificate renewal before the expiration date to avoid service disruptions.

Troubleshooting Tips

  • Certificate Format Issues:
     Ensure that the PEM file is correctly formatted and includes all necessary components (certificate, private key, intermediate certificates).
  • Upload Failures:
     If the upload fails, verify the file integrity and check for any format requirements specified in the Zscaler documentation.
  • Access Problems:
     If users experience access issues after the update, review the configuration settings in the Admin Portal and consult the Zscaler logs for further diagnostics.


Conclusion

By following these steps, you will ensure that the Zscaler Private Access environment is updated with the new certificate, maintaining secure access to your internal applications. Always refer to the latest Zscaler documentation for any additional or environment-specific instructions.