PCNSE Exam QuestionsBrowse all questions from this exam

PCNSE Exam - Question 492


An administrator is configuring SSL decryption and needs to ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall.

When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)

Show Answer
Correct Answer: ACD

For the firewall to properly handle SSL decryption, three certificates require a private key: the Forward Untrust certificate, the Forward Trust certificate, and the End-entity (leaf) certificate. The Forward Untrust certificate, despite its name, needs a private key to function properly within the SSL Forward Proxy. The Forward Trust certificate uses the private key to sign and decrypt SSL traffic. Lastly, the End-entity (leaf) certificate used in SSL Inbound Inspection must have a private key to allow decryption of traffic intended for internal servers. The Enterprise Root CA and Intermediate certificates don't require private keys in this context as they are primarily used for verification of subordinate certificate chains.

Discussion

17 comments
Sign in to comment
McDrudgeOptions: ACD
Jan 14, 2023

ACD. The question is asking "When certificates are being imported", not "which certificates are generally imported". All certificates listed with the exception of the End-entity cert could be generated on the firewall. Forward Trust (SSL Forward Proxy), Forward Untrust (SSL Forward Proxy), and End-entity (SSL Inbound Inspection) certificates require private keys for the firewall to act as the client (SSL Forward Proxy) or server (SSL Inbound Inspection) in the decyreption process. The Root CA and Intermediate certs only require a public key to verify the signature of subordinate certs. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies

cRzyOptions: BCE
Jan 7, 2023

I think it's BCE. Forward Untrust Certificate don't need to be imported. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy

lildevilOptions: BCE
Jun 6, 2023

They are asking which certs require a private key...nothing about importing them or such, just which ones require it. Via McDrudge's link you definitely need a private key for a CA so it can sign the forward trust cert. The forward trust cert i think we all agree needs to have it. The intermediate also needs it.

evdwOptions: ACE
Jan 3, 2023

Correct Answer is A,C,E

Frightened_AcrobatOptions: BCD
Feb 21, 2023

BCD are correct. Untrust is self-signed and is not imported. Question mentioned SSL Inbound Inspection which uses leaf certificates of servers with private key. Enterprise CA is needed for chain of trust for the Forward Trust Certificate. Both of which are imported with their associate private keys.

sov4Options: BCD
Jul 25, 2023

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21 A - doesnt matter since it's untrusted E - if applicable is used to sign leaf (the server certs for inbound proxy) and forward untrust.

sov4
Jul 25, 2023

Correction to last line... *and forward trust cert

MaryamkOptions: ACE
Jan 7, 2023

ACE are correct

djedeenOptions: ACD
Jan 19, 2023

ACD, per McDrudge's text.

DenskyDenOptions: ACD
Feb 15, 2023

ACD. See McDrudge link.

DenskyDen
Feb 27, 2023

I leaning towards ACE now.

dgonzOptions: BCE
Sep 18, 2023

I think it's BCE..

wallakaOptions: CDE
Nov 15, 2023

100% not A. Forward Untrust section says nothing about private keys. Private keys are explicitly called out for Forward Trust, both intermediate and end-entity certs depend on the private key of the Enterprise Root CA, which may or may not be on the FW itself so I'm not sure, but definitely not A. "Click Generate at the bottom of the certificates page. Enter a Certificate Name, such as my-ssl-fwd-untrust. Set the Common Name, for example 192.168.2.1. Leave Signed By blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Click Generate to generate the certificate. Click OK to save. Click the new my-ssl-fwd-untrust certificate to modify it and enable the Forward Untrust Certificate option." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21

wallaka
Dec 14, 2023

EDIT: BDE seems more likely. Recommendation for SSL forward proxy is enterprise CA but can used self-signed Forward Trust, so BC fits best for me, covers both scenarios, can't be A, has to be D, I can't find intermediate certs anywhere so E must be the red herring

wallaka
Dec 14, 2023

EDIT #2: mistyped BCD. Can't edit.

samassierOptions: ACD
Mar 13, 2024

answer is ACD : Enterprise Root CA certificate : The private key associated with the Enterprise Root CA certificate is not needed for SSL decryption on the firewall. The root CA's public key is used to verify the authenticity of the certificate chain, but the private key is not used in the decryption process. Intermediate certificate : Similar to the root CA certificate, the private keys for intermediate certificates are not needed for SSL decryption on the firewall. They are part of the certificate chain used for validation, but the firewall does not require their private keys for decryption purposes.

kinho1985Options: CDE
Jun 24, 2023

the correct choices are C. Forward Trust certificate, D. End-entity (leaf) certificate, and E. Intermediate certificate(s).

PaloSteve
Jul 26, 2023

How to Configure SSL Decryption- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC This link has a video and might be helpful for understanding this topic, though the answer to this question isn't directly given, unfortunately. When talking about the Forward Untrust Certificate, it does mention, "uncheck Export private key, as it’s not required", so maybe not Answer A. It also says about Inbound SSL Decryption, "To configure this properly, the administrator imports a copy of the protected server’s certificate and key." So yes to Answer D.

MetgatzOptions: BCD
Dec 22, 2023

BCD are correct

90fa8d0Options: BCE
Jan 5, 2024

if we go by elimination , the Fwrd Untrust and end-entery certificates dont have Private Key. so its BCE

Pacheco
Feb 14, 2024

Wrong about end entity certificates :/

0d2fdfaOptions: ACD
May 29, 2024

ACD A for untrust C for forward trust D for inbound.