Enterprises often use tools like Zscaler to bolster their overall security posture.
Zscaler is an intercepting TLS proxy that inspects the traffic coming in and going out of the network.
Because it intercepts all traffic, clients have to be configured with a custom TLS certificate for the connections to be trusted.
This doesn’t always play nicely with other tools, especially tools that require TLS certificates—like
Zscaler and Nix used to be a big pain
Nix users in enterprise environments have run head-first into this problem countless times:
On Linux, this isn’t a huge issue.
Users and admins can add the certificate to their trusted bundle at a standard location like /etc/ssl/certs/ca-certificates.crt
or /etc/pki/tls/certs/ca-bundle.crt
.
On macOS, however, the story is slightly more annoying for Nix because macOS stores the custom certificates in Keychain, a key and secret store used by applications across the macOS ecosystem. If you’re fully steeped in macOS, this is fine and works out of the box. But if you’re using a tool like Nix that’s mostly designed and used by Linux users to build Linux software then… things can get unpleasant.
Users have long had to export their enterprise certificate from Keychain, reconfigure Nix, and manage this over time. When the certificate eventually expires and needs rotating, the user has to figure out how they fixed it the first time and try again.
Uff da… what a headache.
Determinate means Nix + Zscaler doesn’t have to be a huge pain
Our goal with Determinate is to make Nix a pleasure to use across these platforms and to elegantly solve thorny problems for both users and IT administrators.
So we fixed the Nix/Zscaler certificate issue on macOS. Determinate automatically configures Nix on macOS with an up-to-date certificate bundle from Keychain and synchronizes the bundle with Keychain over time.
How to install Determinate
Install Determinate with the Determinate Nix Installer by passing the --determinate
flag:
Alternatively, you can use our signed macOS .pkg
for convenient distribution.
If Installomator is your thing, we provide a Mobile Device Management (MDM) script that integrates especially well with automated processes.
Determinate is available on all systems that the Determinate Nix Installer supports.
More to come
This is just the beginning of a series of posts about what we’re doing to improve the experience of using Nix in the enterprise. If this is music to your ears, join our Discord at https://determinate.systems/discord and come chat.