a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.
b) "there was a root CA from the school" - it happens due to
1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.
c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.
All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?