WSL2 uses a real Linux kernel, but its networking is proxied through the host system. For corporate laptops using ZScaler, there is a root CA certificate installed to the machine to allow sniffing of TLS/SSL traffic as it travels through the intranet. This poses a problem for virtualized hosts. If you try to curl an HTTPS address on your WSL virtual machine, for example, the program will complain of an invalid certificate. We subvert this by copying the root certificate to our virtual machine.
Assuming that your host machine has WSL2 installed and configured, the setup process is as follows:
- Open the Windows certificate manager and navigate to your “Trusted Root Certification Authorities”.
- In the “Certificates” section, you can locate your ZScaler Root CA.
- Right-clicking this certificate can export your certificate as a DER (or similar).
- Convert this certificate using
openssl:openssl x509 -inform DER -in /path/to/your/cert -out /usr/local/share/ca-certificates/zscaler.crt - Finally, update the VM’s CA certificate database:
update-ca-certificates
You should get some output about how your new list of credentials has one more than the old version. If you added some other certificates between updates, this number may be higher.
Sidebar: some web browsers are pretty firm about their certificate stores. Waterfox is one of them. Trying to browse to a known website using Waterfox on a ZScaler-enabled laptop will give you a TLS error.