Custom ROOT Ca

Question

Which are the steps to set up the web appliance to use a custom CA as ROOT CA while enabling the HTTPS Scanning ? 
 I've read the only method to use a custom Root certificate is to configure it as subordinate of the enterprise CA . 
 But how do I generate the request file for a subordinate CA to be passed to the Root CA ? 
 thanks

Red_Warrior · Answer

In short, It is just not worth it. 
 Https scanning peels off a new certificate for every connection it decrypts and scans. The applaince has its own signing authority CA.. In theory you could go buy your own trusted signing authority .. but your talking a lot of $$.. You could always generate your own signing authority .. but again .. it's still going to be self signed so there is not really any point. 
 Best you can reasonably get away with is a 5$ cert for the UI. In all honesty there is no point. 
 
 the only networks your going to do https scanning are will be under the authority of AD .. and trying to decrypt and scan say a public wifi is futile as adding it to handhelds and getting people to accept it is not going to happen. 
 I would recomend https scanning on your wired network, push out the appliances root as a trusted root authority in the browser with GPO. and have a completely separate appliance for your unsecured wifi or other networks that do not require decrypt and scan. 
 unfortunately https scanning is either on or off, even with clustered appliances. You can not toggle scanning for network X or network Y . However the UTM can be set up to do so, but it does not have all the features of a web appliance.