Security flaw while importing certificate?

Question

Recently the company where I work changed its way for users to access the internet. Windows users log in an Active Directory server, and in order to use the internet, they can use any browser with the proxy option disabled. For linux users, there is an exception: we have to import a certificate people from Security Information area generated for us. My questions are:

1) What's this certificate for? I think this can be a silly question, but I've always thought certificates weren't for client, only for server. What I mean is: if I try to access google.com via https, then my browser will verify google's certificate if it's good or not. Can you see that, in this point of view, there is only server certificate?

2) If I don't import it, every site access attempt results in a certificate validation error. Why is that? AFAIK, certificate validation error occurred only when server certificate was invalid or outdated.

3) Is there any flaw in this situation? For example: can I use this certificate in order to try a MITM attack?

4) Windows users don't need to import this certificate, whilst Linux users do. Linux users need to authenticate every 12 hours, whilst Windows users don't. May someone write something to explain what's going on here?

My company uses a product from https://usercenter.checkpoint.com/usercenter/index.jsp in order to manage the accounts, to filter websites etc.

EDIT:

After Steffen's answer, it occurred to me: the certificate I had to import is the same for all Linux users. Given the fact that I have the certificate, A) can I "extract" (or export or get or whatever) the private key from it? If so, B) can I, after sniffing the network traffic, use it to decrypt the packets that I occasionally get?

Answer 1

1) What's this certificate for?

For SSL interception at the firewall, i.e. the SSL connection will be terminated at the firewall and the firewall will do a new SSL connection to the server. All the certificates you get in your intercepted connection will be signed by this CA certificate you've imported and are therefore considered trusted. This way the firewall can analyze even SSL traffic.

2) If I don't import it, every site access attempt results in a certificate validation error. Why is that?

Because your host does not trust the CA certificate of the firewall which is used to create the new certificates for the intercepted SSL connections.

3) Is there any flaw in this situation? For example: can I use this certificate in order to try a MITM attack?

Anybody who has access to the private key of the CA certificate can MITM the connection.

4) Windows users don't need to import this certificate, whilst Linux users do. Linux users need to authenticate every 12 hours, whilst Windows users don't. May someone write something to explain what's going on here?

With windows the proxy CA certificate is automatically propagated to all machines using a policy. And there is probably some process to which maps an IP address to the user currently logged on the machine so no manual login is necessary.

.. Given the fact that I have the certificate,
A) can I "extract" (or export or get or whatever) the private key from it?

No. You have the certificate only. This includes the public but not the private key. The is the same with all the other CA certificates you have on your system or in your browser: they are used to verify a certificate only which is done using the public key in the certificate.

For more information about such firewall based MITM see Can my company see what HTTPS sites I went to?