Whilst I don’t know the specifics of your ISP, I would say that it’s likely that what they’re doing here is intercepting all traffic you send over the Internet. In order to do that (without you getting error messages whenever you visit an HTTPS encrypted site), they would need to install a root certificate, which is what you mention in your post.
They need to do this as what this kind of interception usually entails is creating their own certificate for each site you visit. so for example if you visit https://www.amazon.com they need to have a certificate that your browser considers valid for that connection (which is one issued by a trusted Certificate Authority, either one provided with the browser or one you manually install).
From your perspective, the problem here is it means that they can see all your Internet traffic including usernames/passwords/credit card details. So if they want to, they can look at that information. Also if they have a security breach it’s possible that other people might get access to that information. In addition, they may also gain access to any account that you access over this Internet connection (e.g., email accounts). Finally, installing this root certificate allows them to modify your Internet traffic without detection.
What I would recommend is that you query with them exactly why they need to see the details of your encrypted traffic (e.g., is this a legal requirement for your country) and if you’re not 100% satisfied with the response, get a new ISP. Another possibility is to use a VPN and tunnel all your traffic through the VPN. If you are not happy with your ISP gaining this access to your HTTPS connections, do not install the root certificate they provided you.
This is a request to surrender all your privacy and security to them.
It is a very simple technical issue – they have blocked encrypted and secure HTTPS connections. “Reenabling” it by installing their certificate will now allow you to use encrypted and “secure” connections, but it will give your ISP full access to view your online data, modify anything you download (including inserting backdoors or malware in any downloaded software), modify or filter anything you upload, and gain all the online access credentials (passwords, cookies, other security tokens) that you use through HTTPS.
This is not simply a potential theoretical risk. In fact, you should expect that they are already doing some or all of this – it’s the only practical reason why they put the effort to block and require their certificate in the first place.
Only if you desire to have this connection despite the aforementioned issues, then you can accept their certificate. A good paid VPN can be a solution, however, it’s possible that they will be blocking VPNs as well; it may be the case that you have to choose between a monitored and insecure connection controlled by someone else and no connection at all.
In effect your ISP is reading all your mail.
Think of your internet connection as a series of letters being sent over pony express. The error you are seeing is your browser complaining that your mail has been opened by someone and resealed with the wrong wax seal rather than the expected, for example Google’s, wax seal.
What your ISP is telling you to do is retrain your browser to treat the ISP seal as being more trust worthy than Google’s seal.
The error is correct. It is telling you that your ISP is reading your mail. Don’t do what they say. Change your ISP now.