What if I don’t want to maintain or don’t have a PKI infrastructure? Can I just leverage a certificate from a public PKI?
You could, but you wouldn’t want to.
Part of the security of the service is that the user can only trust the certificated provided through the ZPA tunnels as coming from a CA that only it trusts. Using a public CA defeats this.
Isn’t one of the requirements for the ZPA cert that it be able to sign certificates (clients get one and connector groups get another)? Wouldn’t that make the use of a “public PKI” cert almost impossible?
Correct. However - it wouldn’t stop customers from either asking the
question, or asking for us to integrate with a public PKI system which
would dynamically issue certificates to users/connectors. The right way to
position the answer is that avoiding public PKI actually makes them more
secure - either using Zscaler internal CA or their own CA.