An administrator is configuring SSL decryption and needs to ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall.
When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)
For the firewall to properly handle SSL decryption, three certificates require a private key: the Forward Untrust certificate, the Forward Trust certificate, and the End-entity (leaf) certificate. The Forward Untrust certificate, despite its name, needs a private key to function properly within the SSL Forward Proxy. The Forward Trust certificate uses the private key to sign and decrypt SSL traffic. Lastly, the End-entity (leaf) certificate used in SSL Inbound Inspection must have a private key to allow decryption of traffic intended for internal servers. The Enterprise Root CA and Intermediate certificates don't require private keys in this context as they are primarily used for verification of subordinate certificate chains.
ACD. The question is asking "When certificates are being imported", not "which certificates are generally imported". All certificates listed with the exception of the End-entity cert could be generated on the firewall. Forward Trust (SSL Forward Proxy), Forward Untrust (SSL Forward Proxy), and End-entity (SSL Inbound Inspection) certificates require private keys for the firewall to act as the client (SSL Forward Proxy) or server (SSL Inbound Inspection) in the decyreption process. The Root CA and Intermediate certs only require a public key to verify the signature of subordinate certs. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies
They are asking which certs require a private key...nothing about importing them or such, just which ones require it. Via McDrudge's link you definitely need a private key for a CA so it can sign the forward trust cert. The forward trust cert i think we all agree needs to have it. The intermediate also needs it.
I think it's BCE. Forward Untrust Certificate don't need to be imported. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21 A - doesnt matter since it's untrusted E - if applicable is used to sign leaf (the server certs for inbound proxy) and forward untrust.
Correction to last line... *and forward trust cert
BCD are correct. Untrust is self-signed and is not imported. Question mentioned SSL Inbound Inspection which uses leaf certificates of servers with private key. Enterprise CA is needed for chain of trust for the Forward Trust Certificate. Both of which are imported with their associate private keys.
Correct Answer is A,C,E
answer is ACD : Enterprise Root CA certificate : The private key associated with the Enterprise Root CA certificate is not needed for SSL decryption on the firewall. The root CA's public key is used to verify the authenticity of the certificate chain, but the private key is not used in the decryption process. Intermediate certificate : Similar to the root CA certificate, the private keys for intermediate certificates are not needed for SSL decryption on the firewall. They are part of the certificate chain used for validation, but the firewall does not require their private keys for decryption purposes.
100% not A. Forward Untrust section says nothing about private keys. Private keys are explicitly called out for Forward Trust, both intermediate and end-entity certs depend on the private key of the Enterprise Root CA, which may or may not be on the FW itself so I'm not sure, but definitely not A. "Click Generate at the bottom of the certificates page. Enter a Certificate Name, such as my-ssl-fwd-untrust. Set the Common Name, for example 192.168.2.1. Leave Signed By blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Click Generate to generate the certificate. Click OK to save. Click the new my-ssl-fwd-untrust certificate to modify it and enable the Forward Untrust Certificate option." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21
EDIT: BDE seems more likely. Recommendation for SSL forward proxy is enterprise CA but can used self-signed Forward Trust, so BC fits best for me, covers both scenarios, can't be A, has to be D, I can't find intermediate certs anywhere so E must be the red herring
EDIT #2: mistyped BCD. Can't edit.
I think it's BCE..
ACD. See McDrudge link.
I leaning towards ACE now.
ACD, per McDrudge's text.
ACE are correct
ACD A for untrust C for forward trust D for inbound.
if we go by elimination , the Fwrd Untrust and end-entery certificates dont have Private Key. so its BCE
Wrong about end entity certificates :/
BCD are correct
How to Configure SSL Decryption- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC This link has a video and might be helpful for understanding this topic, though the answer to this question isn't directly given, unfortunately. When talking about the Forward Untrust Certificate, it does mention, "uncheck Export private key, as it’s not required", so maybe not Answer A. It also says about Inbound SSL Decryption, "To configure this properly, the administrator imports a copy of the protected server’s certificate and key." So yes to Answer D.
the correct choices are C. Forward Trust certificate, D. End-entity (leaf) certificate, and E. Intermediate certificate(s).