While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
To check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate, the correct PAN-OS CLI command is 'show system setting ssl-decrypt certificate-cache'. This command provides information about the certificate cache, where certificates involved in SSL Forward Proxy decryption are stored, including the end entity certificates.
> show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 200502004326Z -- 300502005326Z cert pki 1 subject: NAME issuer: NAME serial number(16) 60 c9 5......". rsa key size 4096 bits siglen 512 bytes basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 200221032Z -- 220500032Z cert pki 1 subject: untrust.xxx.net issuer: untrust.xxx.net serial number(9) 00 b8 db 95 e3 b0 f9 ........ . rsa key size 2048 bits siglen 256 bytes basic constraints extension CA 1 NO INBOUND CERT > show system setting ssl-decrypt certificate-cache Cached 0 certificates
Read the question - "end entity certificate". Now run the various command options on your firewall. Answer A is invalid syntax Answer B shows you your Certificates installed on your Palo; not end-entity certificates Answer C shows you some various hit counters. Answer D shows you certificate details from "end entities"
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
B should be correct
Checked in the lab.
Checked in the lab
Answer is D. The cache space is limited, so you will only see recent certificates cached if you have a busy firewall. But the certificates in that certificate cache are placed there when the firewall retrieves the certificate for a traffic flow that matches an SSL Forward Proxy decryption policy. Note that the end-entity certificate is the final link in the chain of trust.
Answer is D. The cache space is limited, so you will only see recent certificates cached if you have a busy firewall. But the certificates in that certificate cache are placed there when the firewall retrieves the certificate for a traffic flow that matches an SSL Forward Proxy decryption policy. Note that the end-entity certificate is the final link in the chain of trust.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
B. show system setting ssl-decrypt certificate
B. just tested it.
Verified in lab - correct answer should be D
No, it's wrong. > show system setting ssl-decrypt certificate-cache Cached 0 certificates