Is Self Signed Root Decryption Certificate for HTTPS Decryption Really Required?

Question: We have a wildcard certificate *.example.com from well known certification authority. Why cannot we use it to perform HTTPS decryption?

Answer: The certificate you have is only valid for *.example.com domain. It is indeed wildcard but the wildcard applies only to subdomains of example.com. When HTTPS decryption is enabled the sites being decrypted-and-then-encrypted again are completely different, for example www.facebook.com. So this certificate cannot be used.

Also note, if HTTPS decryption is required your clients must trust the Root Decryption Certificate of your proxy. You establish the trust by adding that Decryption Certificate to the list of trusted root certificates on the client as explained in the Install Decryption Certificate article.

The Admin UI itself checks the Root Decryption Certificate you try to upload is in correct PEM format and that it is self signed.