Zscaler Certificate Tips

I wanted to share few tips that aren’t found in the “Adding Custom Certificate to an Application Specific Trusted Store” ZIA help page.

If you use AWS CLI and CDK, I found using the environment variable AWS_CA_BUNDLE works the best. When I last tested, CDK didn’t use the AWS CLI ca_bundle configuration.
e.g. AWS_CA_BUNDLE=/PATH/ZscalerRootCertificate-2048-SHA256.pem

AWS CLI and Private Endpoints over ZPA
If you use AWS Private Endpoints and access those resources over ZPA, you’ll run into issues with AWS CLI calls to those private endpoints. To fix this issue, I created a new PEM bundle that has the Zscaler Root Certificate and the 4 Amazon Root Certificates.
e.g. AWS_CA_BUNDLE=/PATH/ZscalerAWS.pem

If you set the environment variable NODE_EXTRA_CA_CERTS, NodeJS, NPM and Yarn should work. I have seen issues lately where this has changed, so if you run into issues, after setting NODE_EXTRA_CA_CERTS configure NPM.
e.g. NODE_EXTRA_CA_CERTS=/PATH/ZscalerRootCertificate-2048-SHA256.pem
npm config set cafile $NODE_EXTRA_CA_CERTS #if running into issues

Hope this helps. Glad to see the ZIA help page getting updated with more tools!