Why is the issuer certificate different at my workplace and at home?

Yes, a company doing SSL interception could in theory read all your traffic if you use the company network. Depending on where you live and what kind of contract you have the ability for the company to do this might also be somehow part of the contract or working rules which might also include that you are only allowed to use the company network for work related stuff.

can I workaround this?

Yes, you might use a different machine and network like your mobile phone for your private, not work related, traffic. Depending on the configuration of the firewall it might also be possible to use some VPN tunnel through the firewall. But it is usually explicitly forbidden to do this so you risk to get fired for this.


In addition to scanning for malware, corporate IT also uses TLS intercept for data loss prevention (DLP), eg. making sure you're not sending proprietary documents through your personal e-mail.

In most medium to large companies, you must sign an "Acceptable Use Policy" as a condition of employment, and that policy will explicitly state that they are allowed to monitor everything you do on a company-issued computer and/or the company's network. It may also include restrictions on what type of personal activities you're allowed to do on the company's computer/network. And if it does, then the policy probably forbids you from workarounds such as a VPN.

Assuming you work for a big company that has this type of policy in place and also the technology to monitor and enforce compliance, my recommendation is to use your own personal device for personal matters (i.e. smartphone) and do not connect your device to the company's network. (Some companies have a separate, "open" network for employee-owned devices.)


Being able to "read" all your encrypted communication doesn't necessarily mean someone is literally sitting at a computer and looking at your data. The "man in the middle" is generally a firewall or proxy appliance, where the IT/Security administrators create rules to block or flag certain types of content. The appliance inspects the packets in plain-text, but it's generally not exposed to a live human.

That said, the general rule applies that you should only do work-related things on your work devices. Even if your traffic isn't being decrypted, the name of the site you are visiting - though not the exact URI - is still visible (via SNI). In other words, even over HTTPS, whether you're just visiting Facebook too much or browsing pr0n, the list of sites you are visiting is visible to corporate eyes, with or without something intercepting the cert. Be smart and just keep personal things on personal devices.