What your employer is doing is common, and using a self-signed certificate for this is actually the only way, as no CA will issue a cert to an organisation that you can then use to sign other certs (if you run your own CA - e.g. AD CA services- you could have a cert issued for this, but it would still derive from the organization's root cert which will be self-signed).
Fundamentally, in order to do things like
- block https sites without a poor user experience (have the browser display a proxy block page instead of a generic browser connection failed page)
- scan downloaded content for malware (imagine if we gave up scanning downloads just because they were moved to https)
- apply URL-level control of access to https sites (e.g. block facebook except for the company page)
- prevent uploads (e.g. data leakage protection) to https sites
- cache content to reduce upstream bandwidth requirements
which are common and arguably reasonable endeavours in a business, it becomes necessary to break into the encryption of https. This is often called a Man in the middle (MitM) "attack". Even though the term "attack" is pejorative there can be arguably bona-fide reasons to do it.
In order for the proxy to be able to modify content (e.g. send block pages), it needs to be party to the crypto, this requires it to have a private key and a certificate that is used on the client-side connection. In order to minimise deployment problems, this is done with a signer certificate, which is added to client trust stores, and used to sign newly-generated certs for each site the clients connect to (typically which copy the attributes from the actual server cert to pass client validation). This way the clients only need to trust 1 cert (the one used to sign the spoofed certs).
MitM (often called SSL inspection) breaks things like:
- Extended-Validation certs (since these cannot be spoofed)
- Client certificates (sites using these won't work)
- Cert pinning. If a site uses certificate pinning, the client will reject the spoofed cert.
- Windows updates, and iTunes
For these reasons, proxies with this capability (e.g. Squid, WinGate) need to have an exclusion list feature which allows certain sites to not be intercepted.
You may be able to convince your admin to add the sites you need to this list.
Disclaimer: I work for Qbik who are the authors of WinGate.