Quiz Entry - updated: 2026.06.28
Why must the firewall's root certificate be installed on every client device when SSL Forward Proxy is enabled?
Without the root cert in the client's trust store, every HTTPS site triggers a certificate warning ("Not Secure / Untrusted CA").
When the FW intercepts TLS, it forges a certificate for the requested domain and signs it with its own internal CA. The browser checks: "Do I trust the signer?" If the FW's CA isn't in the OS/browser trust store, the answer is no — and the browser refuses or warns.
Practical consequences:
- Corporate-managed devices: cert pushed via GPO/MDM — invisible to user.
- BYOD or guest devices: bypass needed (e.g., decryption-exclusion list) or HTTPS breaks.
- Cert pinning (banking apps, some browsers for Google domains): even with the root cert installed, pinned apps reject the FW cert and break. → exclude from decryption.
Tip: Pinning beats any FW root cert. If TLS decryption breaks an app for no obvious reason, suspect cert pinning first.