It does come with its own certificate by default, with instructions for generating your own, but it doesn't trust that certificate for external connections; it uses a separate database of trusted roots which doesn't include the MITM certificate.

Has anyone confirmed the certificate validation behaviour in Superfish? I have a feeling it will be "none at all", which would be really bad...