Set up IGEL with Zscaler Root Certificate Authority

In a previous post outlining how to set up IGEL for the first time, I mentioned that if you're using a technology that swaps out the SSL/TLS certificate on your network (the most popular solution being Zscaler), you'll run into problems getting a demo license. This will cause to several other issues down the line - this is just the first.

n this post I will walk you through installing your Root CA certificate during the build process of your IGEL client. I'm assuming your other clients are Windows and including steps on obtaining the certificate from Windows. There are methods to get it from a Mac, but I'm not familiar with those steps so I'm not including them here. You can also get the certificate from your Zscaler administrators.

Also, these same steps will likely work for any other SSL inspection technology, but since I'm most familiar with Zscaler, that's what we're testing here today.

On your Windows PC

On your company PC (where the Root CA has already been deployed by your administrators), launch CertLM.msc from the Start Menu. Once launched, expand Trusted Root Certificate Authorities and then select Certificates. Find the certificate that matches the name of your SSL inspection technology. For Zscaler, it's Zscaler Root CA.

1. Right-click on the certificate and select All Tasks followed by Export.
2. Click Next on the welcome screen.
3. Select Base-64 Encoded X.509 (.CER) for your certificate type. Click Next.
4. Provide a file name that you'll remember in a few minutes.
5. Complete the wizard.

The exported file is in a binary format, but IGEL (Debian) requires a plain-text PEM format. We'll need to convert it first The easiest method is to use an online tool such as the SSLShopper SSL Converter. To use this tool, simply choose the exported file, select DER/Binary for the certificate type, and then Standard PEM for the type to convert to.

You could also use OpenSSL for this process and there are several instructions online you can follow if you'd prefer not to use the SSLShopper service.

At this stage, you can delete the originally exported file. We will only use the plaintext PEM file from this point forward. If you're confused about which is which, open them with a text editor. The one that begins with -----BEGIN CERTIFICATE----- is the correct file.

On the IGEL Client

Introduction Steps

Before we manually install the certificate, it's worth noting that these steps are only necessary if you're not attached to a UMS, or if you're unable to attach to the UMS because of certificate issues. If you're already attached successfully to a UMS, you can follow the steps in Deploying Trusted Root Certificates in IGEL OS from the official documentation. Also, the steps below closely mirror the steps found in Installing Certificates Manually in IGEL OS.

You'll want to follow the previous post all the way through until you get to the section IGEL First Boot. You'll want to stop at the screen that says "Is this the right display and keyboard language?"

Your next decision is how you're going to get the certificate file on to the device. Below I'll offer a few suggestions.

Method 1: Copy the file using a USB Key (Physical Hardware Only)

1. Copy the file to a formatted USB key.
2. Attach the USB Key to the system and reboot it.
3. Once you're at the welcome screen again, press CTRL+ALT+F11 to open a terminal window.
4. Press ENTER on your keyboard to login.
5. Navigate to your media folder by typing cd /userhome/media and pressing enter.
6. Enter ls -l to find the name of the directory assigned for your USB key.
7. Enter cd directory (where directory is the folder from Step 6) to navigate to the USB key.
8. Enter ls -l again and verify the certificate file is there.
9. Enter cat zscaler_root.cer (replaced with correct filename) to verify the certificate looks correct
   What am I doing?

   Some of these commands will be familiar to those coming from Windows, but I'll describe them below.

   Command	Windows Command Line	PowerShell	Comments
   ls	dir	Get-ChildItem	The -l param puts the output in a list
   cd	cd	Set-Path
   cat	type	Get-Content

Once the certificate file is there, you can skip the other options below and go to Installing the Certificate.

Method 2: Download the file from a webserver (internal or external)

In the following steps, replace the URLs and output file names as appropriate.

1. Host the file on a webserver that's accessible to your IGEL client.
2. From the welcome screen, press CTRL+ALT+F11 to open a terminal window.
3. Enter curl --insecure https://pastebin.com/raw/unique_key --output zscaler_root.cer
4. Enter cat zscaler_root.cer (replaced with correct filename) to verify the certificate looks correct
   What am I doing?

   Some of these commands will be familiar to those coming from Windows, but I'll describe them below.

   Command	Windows Command Line	PowerShell	Comments
   curl	N/A	Invoke-WebRequest	The insecure flag ignores SSL errors.
   cat	type	Get-Content

Installing the Certificate

Regardless of which method you chose, you're now in a terminal and in a folder that contains the certificate file, which for this demo we'll call zscaler_root.cer. You've also confirmed the certificate is correct by seeing the content of it and hopefully noticed that it begins with a BEGIN CERT line and ends with an END CERT line.

1. Enter mkdir /wfs/ca-certs to create a local certificate directory.
2. Enter cp zscaler_root.cer /wfs/ca-certs to copy the cert to the new directory.
3. Enter cd /wfs/ca-certs to navigate to the new local certificate directory.
4. Enter ls -l and verify the certificate is there.
5. Enter reboot to reboot the PC.

The final reboot isn't mentioned in IGEL's official documentation, but in practice it seems to be required during first-time setup. d

That's all there is to it. The Zscaler Root CA is now trusted by IGEL!