Ensure successful SSL inspection and prevent certificate errors by installing the Zscaler Root Certificate on all user devices.
Why This Matters
Zscaler performs SSL inspection to analyze encrypted internet traffic and protect your environment from hidden threats. For this to work without errors, end-user devices must trust the Zscaler Root Certificate.
If the certificate isn’t trusted:
- Users may see certificate warnings or errors
- Applications (especially on Apple devices) may not function correctly
Recommended Methods
You can install the Zscaler Root Certificate in two primary ways:
✅ Option 1: Zscaler Client Connector (ZCC) – Most Common & Easiest
ZCC automatically installs and manages the certificate trust on Windows, macOS, and mobile platforms.
Benefits:
- No user interaction required
- Automatically handles OS-specific certificate stores
- Dynamically updates as needed
Requirements:
- Zscaler Client Connector deployed on user devices
- Proper SSL inspection policies in place (configured via ZIA Admin Portal)
🔗 Zscaler Client Connector Admin Guide
For most deployments, this is all you need—no MDM involvement required if ZCC is installed.
🛠️ Option 2: MDM, GPO, or Manual Installation
If you're not using ZCC or need to install the certificate before ZCC is deployed (e.g., for SSL inspection of login pages or pre-logon processes), you can push the certificate directly to devices using:
- Intune
- Jamf
- Group Policy (GPO)
- Manual installation (testing or unmanaged devices)
Manual Installation Instructions
Step 1: Download the Zscaler Root Certificate
- Log in to the ZIA Admin Portal
- Go to Administration > Certificates
- Download the Zscaler Root CA Certificate (
.crtor.cer)
Installation by Operating System
🪟 Windows
- Press
Win + R, typemmc, press Enter - File > Add/Remove Snap-in > Certificates (Computer Account)
- Navigate to Trusted Root Certification Authorities > Certificates
- Right-click > All Tasks > Import
- Select the certificate and complete the wizard
💡 To verify:
certutil -store root | findstr "Zscaler"
🍎 macOS
- Open Keychain Access
- Select System > File > Import Items
- Choose the certificate file
- Double-click the cert → Set to “Always Trust”
🐧 Linux (Ubuntu/Debian)
sudo cp ZscalerRootCA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
📱 iOS
- Email or AirDrop the certificate to the device
- Tap the profile > Install
- Go to Settings > General > About > Certificate Trust Settings
- Enable Zscaler Root Certificate
🤖 Android
- Go to Settings > Security > Encryption & credentials
- Tap Install a certificate from storage
- Select the file and install under VPN & apps
Firefox Note (Windows/macOS)
Firefox uses its own certificate store, separate from the OS.
- Open Firefox > Settings > Privacy & Security
- Under Certificates, click View Certificates > Authorities
- Click Import, choose the Zscaler certificate
- Enable Trust this CA to identify websites
Troubleshooting
| Symptom | Fix |
|---|---|
| SSL warnings continue | Restart browser or PC, verify certificate is in Trusted Root |
| Firefox shows cert errors | Add cert to Firefox's own cert store |
| ZCC is installed but errors persist | Confirm SSL inspection is enabled in ZIA and ZCC policy is applied |
Summary
For most environments, installing Zscaler Client Connector is the simplest and most effective way to deploy and trust the Zscaler Root Certificate.
However, if you use pre-logon authentication, have unmanaged devices, or want additional control, MDM or GPO certificate deployment may be appropriate.
Need help deciding which method is best? Reach out to your SecureDynamics engineer or project team for guidance.