If you go to Web Isolation Management GUI - System Configuration - System Certificate, you will see a some server certificates associated to the Threat Isolation Gateway or the Web Isolation Proxy component.
These certificates do have an expiry but they will be automatically renewed on the management gateway 30 days prior to expiry.
The Push Settings action must be performed during this period for the gateways to receive and start using the certificates.