The error you are receiving is because the SRX was not able to authenticate the Facebook server and because of this, it sends a Dummy cert to the PC in order to inform about this error. See "Server Authentication" section:
When the SRX contacts Facebook and the server provides its local cert, the SRX will try to authenticate it with the CA certs stated under:
set services ssl proxy profile ssl-inspect-profile trusted-ca [Trusted_CA-Certs]
I just connected to Facebook and received the cert attached in file "Facebook cert". We can see that this cert was issued/signed by "Digicert SHA2 High Assurance Server CA" which in an Intermediate CA. In attached file "Facebook cert-3" we can see that "Digicert" signed/issued that Intermediate CA cert hence "Digicert" is the Root CA. We need to make sure that both, the Intermediate CA cert and Root CA cert are loaded in the SRX if we want it to trust the local cert provided by Facebook.
I believe you need to change the value "sky-atp-ca" to "all" so that the SRX will check all installed CA certs when authenticating Facebook or any other external website. Note that "all" option means that the SRX will check all installed CA certs when authenticating an external cert. Juniper packages come with pre-installed CA certs that can be loaded with the following command:
Try installing the Trusted CA list provided by Juniper and using option "all" under [edit services ssl proxy profile ssl-inspect-profile trusted-ca]. If the issue persists after that, then we will confirm if the SRX does have the Root CA cert (Digicert) and the Intermediate CA cert (Digicert SHA2 High Assurance Server CA) installed correctly.
Pura Vida from Costa Rica - Mark as Resolved if it applies. Kudos are appreciated too!
I imported the CA cert list to SRX, but I got a bowser certificate error that "this certificate cant be used for this purpose", which means it cant be used as a trusted root certificate.
So I used a self signed certificate and imported it to the client trusted root certificate folder, then I was able to browse https over microsoft explorer only, Although I imported the cerificate to the other explorers directories, any idea here?
So, is the first reported issue no longer happening? Please note that my previous suggestions were to be applied on the SRX only.
Assuming that the first issue was solved, my understanding is that in the PCs we need to install a cert that was previously self-signed by the SRX. See step 1 in the following doc and let me know if you followed a similar process: