Issues after installing organization-required root CA

[carmik 0]

I'm working as the IT responsible for an organization in a large WAN. ESET endpoint security is installed and TLS filtering is enabled mainly to scan secure HTTP/POP-3 traffic. Things worked just fine, until some changes in the WAN infrastructure took place. Specifically, the WAN traffic is now intercepted and scanned for malware/DLP. In order for that to be done, the IT department handling centrally the WAN has provided a root CA to be installed on all client systems, in order for them to be able to access the internet.

We've installed that with a group policy and most of the time things just work as they did: if I try to see the certificate of a page, I'm informed that the root certficate is the ESET one.

However, now on occasion trying to access a page throws a certificate error in the browser. Doing a refresh seems to work just fine. Additionally, some site utilizing templatres/code from other sites behave in a funny way: for example JS code does not seem to be working. Finally, we've seen a case where the same https site shows not only the ESET cert, but also a Digicom one or the cert corresponding to the central WAN.

I'm figuring here that there are two certificates trying to prevail which one is going to do MITM decryption. Are the above mentioned issues expected in a setup like ours?

[carmik 0]

Addendum: reporting the issue to the organization IT HQ did not help a lot. I've been asked to insert the ESET root certificate via the MMC and not using the installer.

Two things:

1) where can I get the certificate itself to try that out?

2) I presume that the installer simply calls a cert management command to get the job done, which is not contrary to Microsoft recommendations, correct? In other words, can someone from ESET verify that the certification installation is done per MS guidelines? Even better, by which way (I'm definitely going to be asked about that).

 

[carmik 0]

(bump) Anyone from ESET care to join in?