Verification of SSL inspection exception

Hi! I’m trying to find the best way of verifying that a domain is not being SSL inspected and I am confused by the results of my current method.

First I add the exception via a URL category, save, push changes. After I browse to the domain, e.g., I check the certificate presented by the URL bar. No Zscaler cert, so it’s working, right? However, when I use openssl I get different results:

openssl s_client -showcerts -connect
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (, emailAddress =
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA ( (t)

Why is this happening and what are your best methods of verifying that an SSL inspection exception is working?