In a SteelHead SaaS environment where the Signing CA is Customer Hosted type, the SaaS services proxy certificates are signed by the customers own CA.
In such an environment the customer may have a root CA with Intermediate CA's that sign the CSR for the SaaS proxy certs. Ths signed Proxy certificates are then subsequently uploaded back to the Portal after being signed by the Intermediate CA.
Example:
Root Ca
||
Intermediate CA
||
Proxy Certificate *.office365.com