Skip to main content
Sondos Clicks

Installing the Zscaler Root CA on openSUSE Tumbleweed (WSL Edition)

·415 words·2 mins
Author
sondosclicks
Cuaderno simple de ideas, historias y pequeños experimentos… con la seriedad justa y una pizca de ironía.
Table of Contents

Installing the Zscaler Root CA on openSUSE Tumbleweed (WSL Edition)
#

Ah, Zscaler — our favorite corporate “friend” who loves to play middleman between us and the internet.
Because who doesn’t enjoy HTTPS interception at 9 AM on a Monday? 😅

If you’re running openSUSE Tumbleweed on WSL and everything suddenly breaks — curl, wget, zypper, even git — congratulations! You’ve just met Zscaler’s SSL inspection. Let’s fix it so you can get back to doing real work (and maybe a bit of complaining).

⚙️ Step-by-Step: Making openSUSE Trust Zscaler
#

openSUSE uses p11-kit and the update-ca-certificates system to manage trusted roots.
We’ll show you two easy ways to install that corporate CA certificate (before Zscaler ruins your day again).

🧙‍♂️ Option 1: Use trust anchor (Recommended)
#

  1. Download the Zscaler Root CA certificate

    Grab it from your corporate SharePoint or the ZIA Admin Portal (usually a .pem or .crt file).
    Example (fictional) link:
    Zscaler_Root_CA.pem

  2. Add it to the system trust store

    sudo trust anchor ~/Zscaler_Root_CA.pem

  3. Verify it worked

    trust list | grep Zscaler

    If you see the certificate listed as an anchor — you’re golden!

🧰 Option 2: Manually Copy and Update
#

  1. Move the certificate to the anchors directory

    sudo cp Zscaler_Root_CA.pem /etc/pki/trust/anchors/

    (You can also use /usr/share/pki/trust/anchors/ for system-level trust.)

  2. Regenerate the CA store

sudo update-ca-certificates
  1. Celebrate. Maybe sarcastically. Your Linux tools should now stop complaining about “unknown issuer” errors. 🎉

🕵️‍♀️ Why This Matters
#

Zscaler intercepts HTTPS traffic, re-signs it with its own root certificate, and pretends it’s doing you a favor. Without trusting that CA, every secure connection fails miserably. Adding the cert ensures your tools — curl, wget, zypper, pip, etc. — behave again.

🔍 Enterprise Notes
#

  • Internal docs usually recommend copying the cert to /etc/ssl/certs/ca-certificates.crt or automating this with scripts.

  • For containers, Git, or Python, you might need to append the cert to their own CA bundles manually.

(Yes, even Docker doesn’t escape Zscaler’s reach. 🧟‍♂️)

✅ Quick Trust Check
#

Run:

openssl s_client -connect example.com:443 -showcerts

If you don’t see “unknown issuer,” congrats — your system now trusts Zscaler (begrudgingly).

🧠 Key Takeaways
#

  • Zscaler breaks SSL. We fix SSL. Circle of life.
  • Use sudo trust anchor for the cleanest install on openSUSE.
  • Don’t forget to verify — trust, but verify (literally).
  • Optional: complain to IT for deploying Zscaler in the first place. 😉

🔗 Useful Links
#