An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)
An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)
For deploying SSL Forward Proxy, two types of certificates can be used to decrypt the traffic: a subordinate CA from the administrator’s own PKI infrastructure and a self-signed root CA. The subordinate CA can be trusted across the organization and integrated with existing PKI structures, while the self-signed root CA must be manually installed on all user devices to ensure the validity of the certificates issued by the proxy device. External CA certificates are not typically used for this purpose as they are generally trusted public entities and not intended for internal traffic decryption.
correct answer is B and C
B and C are correct
B and C
B&C is correct!
Why you guys are saying C is correct without knowing if the Self-signed CA is injected in the user's browser ? Because if it's not, the browser will show a warning. As mentioned in: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21 "This method (Self-signed Certificates) requires that you need to install the self-signed certificates on all of your network devices so that those devices recognize the firewall’s self-signed certificates. " I'd say BD because the certificate forwarded in these both cases will be accepted by the browser as trusted. C is correct if we know that the Self-signed CA was added to the user's browser.
Ignore the above, it's BC because the cert is only used to decrypt as per the question
B&C are correct
BC are correct. check question 448
I think it's C and D, based on link below. But I'm not sure. B also looks like an option. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21
we don't need external. D is false.