We know that when ISA publishes an HTTPS site, in the listerner we need to specify a certificate for the site, and this certificate should be issued for this site by a trusted CA. We also know that if the certificate on the listener is not issued by a trusted CA, when the client access the site through reverse proxy, it will get a warning - 'The security certificate presented by this website was not issued by a trusted certificate authority.' However, user can still continue by ignoring this message. What will happen if ISA server itself doesn't trust the CA? Both end, the web server and the client, trust the CA who issued the certificate for the website. But for some reason, like root certificates have not been updated, the middleman - ISA does not trust the CA who issued the certificate that ISA imported to its local store. Will ISA server try to update its root certificates if it can or cannot reach the Internet? Will there be any other backend traffic trying to fix this, and eventually slow the whole publish process? Thanks.