Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?
To generate other certificates, a self-signed root CA certificate is appropriate. A root CA certificate acts as a trust anchor and can be used to sign other subordinate certificates, which are necessary in environments without an existing Public Key Infrastructure (PKI). This allows the organization to maintain control over certificate issuance and management without relying on external certificate authorities.
A. Alternatively, generate a self-signed Root CA certificate on the firewall and create a subordinate Forward Trust CA certificate on that firewall to install on network devices. Self-signed certificates are best for small companies that don’t have an Enterprise Root CA and for proof-of-concept (POC) trials. See Passam link.
https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
A is correct
It's A