I get that when it comes to a transparent proxy - what about an explicitly-configured proxy, though? I can see it both ways because on the one hand, if a browser trusts a proxy to be full man-in-the-middle, the proxy could give its own cert for the proxy->client leg (validating itself to the client), and the browser could be happy with that, trusting the proxy to say "the site you're visiting just gave a bad certificate" in case of bad/revoked/expired certificates on the upstream side. But then I can also see browsers never operating in this mode either. In this case, you're trusting the proxy not to do anything bad... Let's just say that if I went to a hotspot and the banner said "install this certificate in your browser and trust our proxy" I would rip the battery right out of the computer before any further harm could be done.
Yes that can be done, but probably not by a small MikroTik... I am no expert on that, but generally boxes that can do this
require serious CPU power and/or crypto accelleration.
A normal proxy will not decrypt/encrypt but has a CONNECT command. The client connects the proxy, sends a
CONNECT with the hostname and port, the proxy makes the connection and ties the two ends together. Then, the
client negotiates the TLS connection directly with the server, and the proxy has no way of seeing the actual URL
being fetched from the server.
A proxy that is a real man-in-the-middle is possible, and it can even be transparent. But indeed in that case you need
to install a trusted certificate on the client. Not a thing one should do as a hotspot client. In corporate environments
this is done to be able to inspect the data (scan for viruses, block URLs). But there the workstations are under
control of the company and certificates can be automatically installed.