Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 519

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A self-signed certificate generated on the firewall

A web server certificate signed by the organization’s PKI

A web server certificate signed by an external Certificate Authority

A subordinate Certificate Authority certificate signed by the organization’s PKI

Correct Answer: A

To ensure that users are presented with an untrusted certificate warning when they encounter invalid or untrusted security certificates, the best choice for an SSL Forward Untrust certificate is a self-signed certificate generated on the firewall. A self-signed certificate is not inherently trusted by any client browsers, which will cause them to present a warning about an untrusted certificate, fulfilling the network security administrator's requirements.

Discussion

Andromeda1800Option: A

It's A, A self-signed certificate generated on the firewall. Client is supposed to present a warning about untrusted certificate and that's what answer A will provide. I am surprised how many people answer wrong even for the simplest questions like this and create too much noise with their comments and create confusion. I hope there are people that really read study guides, admin guides, PAN Beacon study materials before they put comments here with so much confidence claiming something is correct 100% while it's not.

MostafaNawarOption: A

A of course

MarshpillowzOption: A

A is correct

TeachTrooperOption: A

As it needs to be the Forward Untrust Certificate it must not be signed by a trusted source, so self signed it is.

brian7857ffs45

This question was on the exam.. Nov 2023

Frightened_AcrobatOption: A

The only acceptable answer is A. You don't want to pay for the certificate, you don't want it to have a chain of trust and you don't want it trusted anywhere in your network. It's an 'Untrust' certificate after all.

Knowledge33Option: A

The browser doesn't have to trust the certificate. It's why we need to use a self-signed, which is free, easy to deploy and works well. The user should have a warning message. On this case, only A is correct. D is false because the brower will trust the cert automatically.

abanaabaOption: D

I will go with D

PaloSteve

Please don't go with Answer D. The root cert of the org will be in the Trust store of the enterprise computers and will NOT give warnings about untrusted sites.

zequelOption: A

A is the only correct answer since it's supposed to be an untrusted certificate on the browser end.

PochexOption: A

A is correct, if client machines and browsers do not have a self-signed certificate installed by default, then a warning will be triggered.

netsofOption: A

Answer is A, the question is about the Forward untrust certificate.

[Removed]

definitely not A. A self-signed CA will not be trusted by the browser as it is not a trusted cert.

netsof

Exactly, B,C and D would result in a trusted certificate being presented to the users and won't provide the untrusted certificate warning.

Knowledge33

Please, read the question again. The browser doesn't have to trust the certificate. It's why we need to use a self-signed, which is free, easy to deploy and works well. The user should have a warning message. On this case, only A is correct. D is false because the brower will trust the cert automatically.

[Removed]

you are right. and this is why I failed this exam. I need to slow down and read the questions better.