Hello, we are implementing https decryption and re-encryption on our Ironport webfiltering device. I have generated a CSR and had it sign by our CA with the subordinate CA template. Everything works great for devices that trust our root or intermediate CAs.
The question I have is if I wanted contractors, of whom are not on our domain and we have no control of their devices, to install our intermediate CA onto their machines what kind of risk does this pose if any?