As much as they can read the traffic, they can't spoofed the identity. Not without having their own root cert on the customer side.