Under Security Service Edge (SSE), a certificate signed by a default certificate authority (CA) is provided for SAML authentication on Secure Web Gateway after the initial setup. A certificate signed by a a custom certificate authority is provided for HTTPS scanning.
We recommend that you download the default CA certificate and install it on your endpoints. We also recommend that you replace the custom CA certificate that is provided with a CA certificate of your own.
To replace the custom CA certificate, work with the options for HTTPS Scanning feature configuration.