While it is not generally advisable to allow users to freely access sites with bad certificates (expired, self-signed, unknown authorities, common name mismatch, etc) the flexibility of the MWG rule engine does allow you to block on some types of errors, warn on others and allow on others with extensive logging when they click through the warning. It is highly recommended that regardless of category decryption should be performed whenever a certificate error is encountered. The attached rulesets allow the connection to be established, decrypted, and logged whenever a certificate verification error is encountered. It also demonstrates how to implement end user warnings that are customized for your environment. The ruleset includes rules for logging only, blocking and logging and Warn and log. One ruleset replaces the Certificate Verification rules, another is inserted in the URL filter ruleset and the last goes in the log handler rulesets. The Certificate verification rulesets and Logging rulesets combine the functionality described in the comments of this discussion: MWG7 SSL - Incident Manager?
Certificate Verification Ruleset:
To warn users and allow click through use this ruleset with the "Log" rule enabled for the types of errors you want to warn
Enable the appropriate rulesets to match errors that you want to warn rather than just log. Each error type has its own coaching config as you may want to set your timeouts differently based on the type of error. If you want to log all accesses after a click through enable the second rule in each coaching ruleset
SSL Incident Log Handler Ruleset:
Writes SSL Incident log on any SSL Incident