Zscaler has determined that any App Connector Manager or Private Service Edge Manager version that is earlier than 23.374.1 would potentially face certificate expiration issue by May 2025. The certificate expiration affects ZPA’s ability to upgrade the App Connector or the Private Service Edges for any and all customers that have App Connectors or Private Service Edges deployed. 

More details on the new G2 certificate policy by Digicert is available at the below link https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023 

Zscaler recommends that the Manager version of all App Connectors and Private Service Edges should be on version 23.374.1 or later in order to use the latest G2 intermediate and root CA certificates as aligned with the above Digicert Policy. The certificate expiration affects ZPA’s ability to upgrade the deployed App Connectors or the Private Service Edge.

To upgrade App Connector Manager for CentOS, and Redhat, use the yum update command. For example:

[admin@zpa-connector ~]$ sudo yum update zpa-connector
[admin@zpa-connector ~]$ sudo systemctl restart zpa-connector

To learn more, see App Connector Deployment Guide for CentOS, Oracle, and Redhat and Managing Deployed App Connectors. To upgrade for Amazon Web Services (AWS), Microsoft Azure, VMware, and other supported platforms, see App Connector Deployment Guides for Supported Platforms.

To upgrade Private Service Edge Manager for CentOS, Oracle, and Redhat, use the yum update command. For example:

[admin@zpa-service-edge ~]$ sudo yum update zpa-service-edge
[admin@zpa-service-edge ~]$ sudo systemctl restart zpa-service-edge

To learn more, see Service Edge Deployment Guide for CentOS, Oracle, and Redhat and Managing Deployed ZPA Private Service Edges. To upgrade for Amazon Web Services (AWS), Microsoft Azure, VMware, and other supported platforms, see Private Service Edge Deployment Guides for Supported Platforms.

Do I need to perform this upgrade if I plan to upgrade to RHEL9 images?

If you have already scheduled upgrading App-Connector and PSE to RHEL9 images then the manual upgrade noted above is not needed as the new RHEL9 images contain new certificates.

How does this affect me?

ZPA relies on App Connector Manager and Private Service Edge Manager to configure and manage App Connector and Private Service Edge software and services. ZPA will not be able to upgrade App Connector and Private Services Edges if App Connector Manager and Private Service Edge Manager are outdated.You will not be able to apply bug fixes and new enhancements unless you upgrade.

How to check the Manager Software version?

App Connector: Configuration & Control > Private Infrastructure  > App Connector Management > App Connector : the second column shows the manager version of each App Connectors

Private Service Edge: Configuration & Control > Private Infrastructure > Private Service Edge Management >   Private Service Edge : the second column shows the manager version of each Private Service Edges

What if I have more questions? 

If you have additional questions, contact Zscaler Support via the Support link in the Admin Portal or contact us at +1-408-701-0534. Within the U.S., you can use 1-800-953-3897.