After configuring SSL interception where the ProxySG's certificate used for interception is signed by a local PKI certification authority, it is important that the ProxySG trusts all certificates in the certification path including its own subordinate certificate (local CA signed CA certificate). Without this, the ProxySG will not send the chain of trust to the client. In other words, the ProxySG will only send the certificate in the keyring used for SSL interception and will not send the root and/or intermediate CA certificates. Unless the browser trusts the ProxySG's subordinate certificate specifically, the result will be that users will receive untrusted-issuer certificate warnings in the browser. So the ProxySG will need to send the certificate chain of trust to avoid this problem.
The browsers on the network may not trust the subordinate certificate on the ProxySG since typically only the root and intermediate CA's are trusted.
In order to accomplish this, assure the following steps are included in your SSL interception configuration.
Note: These instructions take place after having already configured a keyring with a signed subordinate certificate. See the following for more information on configuring SSL interception with a subordinate certificate (a form of these steps are included in the following article but are often missed):