the difference between the GUI certificate and certificates for HTTPS sites is that the GUI cert is a server certificate. This certificate is only valid for one host, so you can get it trusted by a known CA. The certificate you use for MWG signing requests for HTTPS site is a CA itself, which signs server certificates itself.
So a CA needs to be used that is trusted in the browsers. It is not possible to obtain a CA which is signed by a CA that is already trusted in the browsers, like VeriSign etc, because MWG will create server certificates for all URLs you access via HTTPS. If you go to facebook.com MWG will create a server certificate for facebook.com and sign it with its local CA.
This local CA needs to be known in the users browsers. There are only two ways:
- You already have a company wide CA which is trusted on all machines. You can use it to create a SubCA and import the SubCA into MWG
- All browsers need to be configured to trust the CA imported into MWG. For Internet Explorer you can share it via GPO, for Firefox or linux computers you may want to provide a link with instructions or a script for installation to your users.
I am not aware of a way to have Firefox automatically import a given CA for a complete company.
helpful as always
now everything is clear