ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
The installation of the certificate is required to avoid certificate warnings in the browsers. For visitors I know this could be complicated. But when you do require to decrypt also this traffic there is no way without this step. You could configure captive portal where you would write some information for the visitors about how to do this.
Also with pfsense, cryptographically there is no way to implement TLS decryption "transparently" without this step (except when you have the power of CIA, NSA or some other intelligence agency - but also if they do this with an official CA certificate I would assume they will get caught pretty fast).
For basic URL filtering you do not have to install the certificate on the clients as the firewall sees the domainname in cleartext in the TLS handshake when a client connects to a https website.
... View more