All posts
September 10, 20251 min read

Fixing OpenSSL Certificate Errors Behind Zscaler

If you’ve worked with OpenSSL behind Zscaler, you know the moment. The root cause is buried under layers: SSL inspection, custom root CAs, and how OpenSSL verifies certificates. Most teams waste hours chasing it. It doesn’t have to be that way. OpenSSL relies on a trusted certificate store to validate TLS connections. When Zscaler intercepts and re-signs traffic, its root certificate must be trusted by OpenSSL. On many systems, browsers trust it because it’s installed at the OS level. But OpenS

Free White Paper

Certificate-Based Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

If you’ve worked with OpenSSL behind Zscaler, you know the moment. The root cause is buried under layers: SSL inspection, custom root CAs, and how OpenSSL verifies certificates. Most teams waste hours chasing it. It doesn’t have to be that way.

OpenSSL relies on a trusted certificate store to validate TLS connections. When Zscaler intercepts and re-signs traffic, its root certificate must be trusted by OpenSSL. On many systems, browsers trust it because it’s installed at the OS level. But OpenSSL often uses its own CA bundle, leaving that Zscaler root unrecognized. The result—your requests fail.

The fix starts with exporting the Zscaler root certificate in PEM format. On most machines, you can get it from the browser’s certificate viewer when visiting an HTTPS site. Then, you point OpenSSL (or any tool that depends on it, like curl or certain language runtimes) to a certificate bundle containing both the system CAs and Zscaler’s root.

For Linux, update /etc/ssl/certs/ca-certificates.crt or your distribution’s equivalent. For macOS, OpenSSL might use /usr/local/etc/openssl/cert.pem if installed via Homebrew. Append the PEM content, then confirm with:

Continue reading? Get the full guide.

Certificate-Based Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
openssl s_client -connect example.com:443 -showcerts

If the verification passes, it’s fixed. No more unknown issuer errors.

This also affects automated pipelines. CI environments that pull dependencies or talk to APIs over TLS will fail if Zscaler’s certificate isn’t baked into their CA bundle. Solve it early, commit the fix into your container images or build scripts, and stop firefighting later.

Strong TLS hygiene with OpenSSL under Zscaler means doing this once, the right way, and keeping it in your automation. That shrinks the chance of a breaking change when Zscaler rotates certificates or updates signing chains.

If you want to see this in action without losing hours, spin up a test environment that mimics your network and certificate setup. With hoop.dev, you can have one running in minutes, diagnose the handshake, and ship faster.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts