Why it is required to have self signed Root CA for HTTPS Decryption?

I have a wildcard certificate *.example.com from well known certification authority. Why cannot I use it to perform HTTPS decryption?

The certificate you have is only valid for *.example.com domain. It is indeed wildcard but the wildcard applies only to subdomains of example.com. When HTTPS decryption is enabled the sites being decrypted-and-then-encrypted again are completely different, for example www.facebook.com. So this certificate cannot be used.

Thus if HTTPS decryption is used your clients must trust the Root CA of your proxy. You establish the trust by adding the Root CA certificate of the proxy to the list of trusted root certificates. This can be done in various ways:

  1. Manually as explained in the article Install Trusted Certificates .
  2. Using GPO or subordinate CA if you have Active Directory, see Using Subordinate CA for HTTPS Decryption in Active Directory Integrated Squid
  3. Using some BYOD management solution.

The UI itself checks the Root CA you try to upload is in PEM format and that it is self signed.