when sending error messages to users who connect to a non-existing or forbidden HTTPS-site, send the full CA chain to the user/browser
Reason: Google forces more and more websites to HTTPS by punishing HTTP-only sites with a bad search ranking. In such a case proxy SG only sends the auto generated certificate to the user, which results in an unclear and ugly certificate error message by the browser to the user. This can be prevented by creating a signing certificate in the internal PKI, where the proxy SG must send this signing certificate to the user. Creation of the signing certificate is out of your scope, but it will be an internal certificate, valid to the internal organization only. Sending this signing certificate to the user/browser is in your scope. Therefor this request to send the full CA chain to user/browser in case the proxy generates a certificate for a non-existing or forbidden HTTPS-site.
Remark: this request is similar to https://ideas.sophos.com/forums/17359-sg-utm/suggestions/3044210-https-scanning-have-proxy-provide-certificate-cha, but differs in 2 main aspects:
1) in our request we only request for the full CA chain when sending error messages that would otherwise invoke an invalid certificate response by the browser.
2) in our request the signing certificate is generated by an internal PKI, dedicated to the internal users only.