Some companies install corporate VPNs which also come with a root certificate installed on all employees’ machines. This allows for encrypted traffic to be decrypted by technology installed on the VPN. Some companies even have to do this to meet certain auditing and compliance requirements.
Is it possible for a website to set up a certificate signing chain in a way that if root cert that signed it is replaced by the corporate VPNs root cert, it would either fail to load the website, or prevent it from being overwritten by the root cert entirely in the first place?
Or, if there’s a root cert installed on a machine, is it impossible to prevent TLS intercepting by a MITM party?