Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. When a root CA certificate is self-signed, it needs to sign other certificates, such as the forward trust certificate, to establish a chain of trust. If the forward trust certificate is not signed by a trusted root, client systems will not recognize it as valid, resulting in unsecured website warnings. Therefore, ensuring that the forward trust certificate is signed by the installed root CA is essential for proper SSL decryption and avoiding warnings.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy
Answer B. "If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit."
The administrator has also installed the self-signed root certificate in all client systems. So if the FT was signed by the root cert it would give no problems. Answer Still A
should be A
Yes, should be A. The cert. was issued by itself, not the ROOT cert.
It should be B: The question refers to a self-signed Root CA certificate. Step2 - has 2 options https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy > Use an enterprise CA-signed certificate as the Forward Trust certificate or > Use a self-signed certificate as the Forward Trust certificate Step3: If you are using an enterprise-CA signed certificate as the forward trust certificate for SSL Forward Proxy decryption, and the client systems already have the enterprise CA installed in the local trusted root CA list, you can skip this step. (The client systems trust the subordinate CA certificates you generate on the firewall because the Enterprise Trusted Root CA has signed them.) --- Since we use self-signed certificate, we cant skip Step 3,so: Distribute the forward trust certificate to client system certificate stores. If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit.
but if the forward-trust cert is signed by the self-signed root CA (which is already installed on clients and thus trusted), would the clients still get certificate warnings?
the self signed CA of the FW means nothing to client machines, unless either it or the FT cert have been installed on the client machine. Definitely B.
Possible answer is A or B if the forward trust is signed by the trusted root you don't need to install it on the client (Probably, never tested it myself). if the forward trust is not signed by the trusted root you need to install it on the client (Tested on PAN-OS 10.1.8). since in this case the forward is not signed i choose B
Absolutely A. If the client installed CA hasn't signed the cert, it will not be trusted.
This is really tricky question. I think the answer is A the logic is from this document. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy# Step 3 says If you don’t install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit. But again in the step 3 notes section its mentioned that :- Export the firewall Trusted root CA certificate so that you can import it into client systems. Highlight the certificate and click Export at the bottom of the window. Choose PEM format. So in this case , the admin has installed root cert on the client machines.
The self-signed root certificate and the trusted forward certificate both share the same Common Name (CN), which is "192.168.127.14", and they are both issued by themselves, indicating a self-signed status. It appears that the trusted forward certificate could indeed be self-signed, given the information provided. Since the host doesn't trust the Trusted Forward certificate, but would trust it if it were signed by the Self-Signed Root, it suggests that the Trusted Forward certificate is also self-signed. This alignment in certificate attributes explains the appearance of the untrusted warning. Hence, the answer is A.
Forward-trust CA cert must be signed by an already-trusted (enterprise OR self-signed) root CA. In this case, the self-signed root CA cert has already been installed on clients. So, all that's left is for the forward-trust cert to be signed by the already-trusted self-signed root CA. Thus, I'd go with A.
B is correct. Think of forward trust CA cert as an intermediate cert which signs the copy of the actual server cert. It needs to be installed on the client systems along with the root cert to complete the cert chain.
I would go with A coz even if the Admin installs the self singed root CA in all the clients whenever they go out to an SSL site (server) the certificate of that site(server) should be singed by the forward trust cert
See Betty 2022
The forward trust can be signed by the Enterprise CA. The forward trust certificate is not signed by a self-signed cert, but can be a self-signed CA.This only leaves B as a correct answer if we assume the forward trust cert is self-signed and not an Enterprise signed CA. "If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy