custom certificate for end users with ADCS

If your users don't surf the web with Chrome, you might be able to just use your default domain root certificate, which is already trusted by your domain joined PC's.

If you have Chrome in your environment, a few updates ago they put in the requirement of certificates needing the subject alternative name. There are methods to get your ADCS to be able to generate these types of certs, but I don't recommend mucking with ADCS just for this.

All you can do is generate the certificate on the UTM and push it out with group policy to the trusted root certificate store. This will ensure it's trusted by your PC's and they will not get a certificate error if you have HTTPS scanning enabled.

Unless this isn't at all what you're asking, then I'm just confused by your question :-)

If your users don't surf the web with Chrome, you might be able to just use your default domain root certificate, which is already trusted by your domain joined PC's.

If you have Chrome in your environment, a few updates ago they put in the requirement of certificates needing the subject alternative name. There are methods to get your ADCS to be able to generate these types of certs, but I don't recommend mucking with ADCS just for this.

All you can do is generate the certificate on the UTM and push it out with group policy to the trusted root certificate store. This will ensure it's trusted by your PC's and they will not get a certificate error if you have HTTPS scanning enabled.

Unless this isn't at all what you're asking, then I'm just confused by your question :-)