Refer to the exhibit.
Which certificates can be used as a Forward Trust certificate?
Exam PCNSE All QuestionsBrowse all questions from this exam
Question 57
Correct Answer: C
In the context of using certificates for SSL Forward Proxy, the Forward Trust certificate must be a CA certificate with the Key usage enabled. The exhibit indicates that the Domain Sub-CA and Forward_Trust certificates have both the CA and Key attributes enabled. However, the Domain Sub-CA certificate is intended to act as an intermediate certificate, whereas the Forward_Trust appears to be specifically designated for use in forward trust configurations, which aligns with the naming convention. Therefore, the correct answer is the 'Forward_Trust' certificate.
Discussion
BreyargOption: B
wouldn't the only correct answer be B? Must be a CA to be used. must have private key also. can be a root but doesnt have to be.... so that only leaves B as correct answer? anyone? as far as i know you cant use public certs for decryption? so cant be A
NHANTON
yes, CA and the key is mandatory
GivemeMoney
Should be D. Domain-Root-Cert, the usage "Trusted Root CA Certificate" is the one that is going to be used.
Knowledge33
There is no key on the D. The question is "can be used", not "is used". We only need to click on the certificate, then check the box " Forward trust Certificate". Only B is correct.
Pretorian
You are correct. You cannot use certificates from well known third party CA's (like GoDaddy, etc) for decryption. The more elegant approach for SSL Forward Proxy and the easiest by far is a to use a domain CA because automatically all domain joined machines will trust those certificates, overcoming the challenge of distribution of the decryption certificate.
NHANTONOption: B
B is correct answer
poiuytr
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMNKCA4&lang=en_US%E2%80%A9
NHANTONOption: B
B is correct answer
GabranchOption: B
Aside from requiring it to be a CA, you'll notice that answer C uses a hyphen but the cert name has an underscore.
PaloSteveOption: C
My vote is for C. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-forward-proxy In Step 4 of the Use a self-signed certificate as the Forward Trust certificate, which is titled "Generate new subordinate CA certificates for each firewall" it follows with 5. "Click the new certificate to modify it and click the Forward Trust Certificate checkbox to configure the certificate as the Forward Trust Certificate". The CA box is only necessary to be checked for the Intermediate key. It is the cert created from the Intermediate CA that is used as the Forward Trust cert.
KKQQ12345
This is not a valid question. Forward-Trusted Cert has to be configured, otherwise you can't even commit.
Meira088Option: B
B is correct answer
1Adrian1Option: B
B is correct
MarshpillowzOption: B
Correct answer is B
JRKhanOption: B
B is correct as both CA and Key options need to be selected/enabled.
Knowledge33Option: B
There is no key on the D. The question is "can be used", not "is used". We only need to click on the certificate, then check the box " Forward trust Certificate". Only B is correct.
KKQQ12345Option: D
B should be wrong because their usage is empty AC does not have CA
Knowledge33
There is no key on the D. The question is "can be used", not "is used". We only need to click on the certificate, then check the box " Forward trust Certificate". Only B is correct.
UFanatOption: B
B is a correct one