Sometimes it is even worse than that. Some of the middleware TLS proxies don't verify the certificate before they resign the data. They completely open up your enterprise to MITM attacks, and in fact hide the fact that you are being MITMed. This came to light way back during the Superfish debacle, and some vendors still have not fixed the problem.