Enable SSL Intercept on the ProxySG with an imported Certificate from a third-party Certificate Authority.

After you added the certificate to Proxy Settings > SSL Proxy (SSL interception on exception and default SSL interception certificate) and hit Apply you get the below error.

"Keyring does not have a certificate authority's certificate"

The imported Certificate is not a subordinate CA certificate. The SSL intercept certificate must have the Basic Constrain CA=true extension, Certificate Revocation List (CRL) and certificate sighing Key Usages.

For more information about the SSL Certificate requirement, refer to Article ID: 167385

A self-signed certificate on the ProxySG can also be used for SSL interception without the need to retrieve a certificate from a root CA, but would need to be installed in the browser as a Trusted Root Certification Authority.