It’s probably easier to start from first principals on where openssl is run from
mryan@imac-2 ~ % which openssl /usr/bin/openssl
Check the version details, which will return where openssl is reading it’s configuration and certificates from.
mryan@imac-2 ~ % openssl version -a LibreSSL 2.8.3 built on: date not available platform: information not available options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: information not available OPENSSLDIR: "/private/etc/ssl"
Now copy the Zscaler certificate (or custom certificate) to the Openssl certificate chain in that directory
sudo cat ZscalerRootCertificate-2048-SHA256.crt >> /private/etc/ssl/cert.pem
Which should render the content correctly and check to the root.
mryan@imac-2 ~ % openssl s_client -connect www.mimecast.com:443 | more depth=3 DC = net, DC = welshgeek, CN = WelshGeek-DC1-CA verify return:1 depth=2 C = GB, ST = Wales, L = Cardiff, O = Welshgeek, OU = Network Security, CN = Welshgeek Intermediate verify return:1 depth=1 C = GB, L = Cardiff, ST = Wales, O = Welshgeek, OU = Network Security, CN = "Welshgeek Intermediate (t) " verify return:1 depth=0 C = GB, L = London, O = Mimecast Services Limited, OU = Techops, CN = mimecast.com verify return:1 CONNECTED(00000006) --- Certificate chain 0 s:/C=GB/L=London/O=Mimecast Services Limited/OU=Techops/CN=mimecast.com i:/C=GB/L=Cardiff/ST=Wales/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate (t) 1 s:/C=GB/L=Cardiff/ST=Wales/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate (t) i:/C=GB/ST=Wales/L=Cardiff/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate 2 s:/C=GB/ST=Wales/L=Cardiff/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate i:/DC=net/DC=welshgeek/CN=WelshGeek-DC1-CA --- Server certificate