I setup our transparent proxy so we can do interception and IPS. I’m interested/concerned about the ability to use an intermediate ca cert downstream inline somewhere (like a teoco) and if regular consumer desktops would alert on that since their browser would trust the root. We GPO place our intermediate cert in the Windows trusted intermediates. I can’t remember if browsing breaks without doing that.

Not really a concern if there’s other certs/TLS required.in addition to the QWACs cert thought.

I got the impression the easier threat/worry was compromise of a nation CA and issuing illicit duplicate site certs, to then spoof a bank site. Still requires traffic redirection with DNS or routing though I think.