SSL verifications by zscaller - Certificate Chain Trust verification - SubCa download

Hi there,

  1. Can we know how zscaler block network access to websites for which zscaller fail to verify certificate trust ?

  2. If the website does not present the SubCa certificate (if it has not been configured to present all the server trust chain certificates but only the server’s certificate), but the CA certificate is referenced in the optional certificate extension Authority Information Access (AIA), does zscaller downloads the subca certificate to verify the chain as Internet browsers does ? (seems no)

  3. Once the server’s certificate configuration has been updated, is there something to do to allow zscaller to give back network access to the server ?

Question raised on this post without answers:
SSL Inspection Policy and URL Filtering - Cloud Firewall - Zenith (zscaler.com)

These are great questions, thanks for asking. @lpergament do you know of anyone that might be able to shed some light on this?