encryption – Nextgen firewalls – encrypted traffic inspection

These encrypted-traffic-inspection authenticate as if they are the website you are trying to visit. They can do this because they use a server certificate (and private key) signed by their own CA / PKI, of which the root certificate which is trusted by your browser / applications.

These trusted (root) certificates are generally shared through e.g. Active Directory group policies controlled by an admin, which pushes them into the Windows certificate store. This certificate store is also used by e.g. Chrome on Windows, although Google is thinking about using their own. In that case I presume some kind of service or application needs to configure the certificates in the browsers.

Finally they act as a client to the other system, operating as a man-in-the-middle, inspecting the (plaintext) data in the connection before forwarding it.