Question 16 - Zscaler ZDTA Real Exam Questions [March 2026 Update]

Q: 16

A user is accessing a private application through Zscaler with SSL Inspection enabled. Which certificate will the user see on the browser session?

Options

Correct Answer:

Explanation

When Zscaler performs SSL/TLS inspection for traffic to a private application, it functions as a full proxy, executing a Man-in-the-Middle (MITM) process. The Zscaler Service Edge intercepts and terminates the TLS connection initiated by the user's browser. It then establishes a separate, new TLS connection to the private application's server. To present a valid certificate back to the user's browser for the intercepted session, Zscaler dynamically generates a certificate for the requested application domain. This new certificate is signed by the Zscaler Root CA, which must be trusted by the user's client device. The user's browser, therefore, sees this Zscaler-generated MITM certificate, not the application's original certificate.

Why Incorrect

A. An HTTPS session always requires a certificate to be presented to the browser to establish a secure, encrypted connection.

B. The certificate is signed by the trusted Zscaler Root CA, not a typical untrusted, self-signed certificate.

C. The real server certificate is presented to the Zscaler Service Edge, not the user's browser, during an inspected session.

References

1. Zscaler Help Portal

"About SSL Inspection": "To inspect SSL traffic

the Zscaler service establishes a separate SSL tunnel with the destination server and with the user's browser. It then decrypts and inspects the content passing between the two tunnels. To do this

the Zscaler service uses a Zscaler-signed certificate... The Zscaler service dynamically generates a certificate and signs it with the Zscaler root certificate." (help.zscaler.com/zia/about-ssl-inspection)

2. Zscaler Help Portal

"Using Your Own Certificate for SSL Inspection": "When performing SSL inspection

the Zscaler service uses a Zscaler-signed certificate by default. It dynamically generates a certificate and signs it with the Zscaler root certificate." (help.zscaler.com/zia/using-your-own-certificate-ssl-inspection)

3. Zscaler Whitepaper

"The Zscaler Zero Trust Exchange Architecture": In the section "SSL/TLS Inspection at Scale

" the architecture is described: "Zscaler terminates the user’s connection and opens a new one to the destination... The Zscaler proxy presents a certificate to the user that is signed by the Zscaler root CA." (zscaler.com/resources/white-papers/zscaler-zero-trust-exchange-architecture.pdf

Page 10)

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE