Private CA for ZPA

I am in the process of setting up my environment for ZPA.
My connectors and ZApp clients use the ZS signed PKI right now (Self contained ZPA Trust model).

I need to move to my own PKI infrastructure (External Private-CA Trust Model) so clients and connectors are issues certs based on my ZS hosted Subordinate Cert Authority.

I have generated CSR’s on the ZPA admin portal which are ready for signing by my root CA. This is where I am having trouble. The portal gives minimal configuration options so the CSR is also minimally populated.

My questions:

  1. I am unable to set location details in the CSR, these are mandatory and required for any CA to even consider signing a CSR. Where can I do this if its even possible?

  2. Can additional flags such as Digital Signature, Non-Repudiation and Non-Repudiation be set in the CSR? If so where is this done, the CSR I have generated do not contain these flags.

  3. When I generate the CSR on the portal, my understanding is it ONLY contains the Public Key. So where is the private key stored?

Any help is very highly appreciated, its very urgent.

Kind Regards
Irman Ghaffar.

Irman, I am assuming that your qns have been answered on our call.