Depends, if they have a root (or a wildcard) certificate, they can show you that, and your browser will happily show you a green lock. However, the list of root CAs in your browser is public, for Firefox see [0], and hopefully someone would notice if a VPN provider has access to such an certificate.
(However, that is something that also applies to ISPs, at least Telekom has a CA and therefore a root certificate.)
(However, that is something that also applies to ISPs, at least Telekom has a CA and therefore a root certificate.)
[0] https://www.mozilla.org/en-US/about/governance/policies/secu...