Though I don't know what that exactly is, I think that may be one of below..:
- Root certificate of Internal Resources that uses self signed certificate behind content gateway.
- Root certificate of content gateway(endpoint) that uses self signed certificate behind content gateway(relay).
I wonder if we do not have to import trusted certificates in below example cases..:
- All content gateway(endpoint) or Internal Resources uses a certificates from CA that has already been trusted by content gateways in front of them.
- All Internal Resources do not uses protocol that needs tls/ssl connection.
I hope this would be some of help..