Define trusted certificate authorities for TLS inspection
If you are using client protection and users must connect to domains whose certificates are not signed by one of the default Trusted Certificate Authorities, define your own Trusted Certificate Authority element to represent it.
Trusted Certificate Authority elements represent the certificates that identify certificate authorities. When a client in the protected network connects to an HTTPS server, the engine checks whether the certificate authority that signed the server’s certificate is one of the Trusted Certificate Authorities. If the certificate was signed by one of the Trusted Certificate Authorities, the engine makes a substitute certificate that matches the server's certificate. The engine then signs the substitute certificate with the Client Protection Certificate Authority signing certificate. If the server’s certificate is not signed by a Trusted Certificate Authority, the engine makes a new self-signed certificate. In this case, users receive a warning that the issuer of the certificate is not trusted. In both cases, client protection continues to function normally.
When you define a CA as trusted, all certificates signed by that CA are considered valid until their expiration date.