A network administrator wants to deploy SSL Inbound Inspection. What two attributes should the required certificate have? (Choose two.)
A network administrator wants to deploy SSL Inbound Inspection. What two attributes should the required certificate have? (Choose two.)
For SSL Inbound Inspection, the required certificate should have a private key and be a server certificate. The private key is necessary to decrypt the incoming SSL/TLS traffic for inspection. The server certificate is used to establish the SSL/TLS connection with the client and is essential for re-encrypting the traffic after inspection. These attributes ensure that the firewall can both decrypt and re-encrypt the traffic, which is crucial for SSL Inbound Inspection.
question asks what two attributes of a certicate are required, not what type of certificates are required. answer is B and D
Subject Common Name (CN) and Validity Period are the only required attributes. That is a very poor question. Still, I would go for BD, is the best option
Is SAN not optional? I have never seen SAN as a required attribute.
Is SAN not optional? I have never seen SAN as a required attribute.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection "On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection"
B,D - the attributes not the type.
Question is poorly worded however keep in mind that: Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.
I believe this may be BD. The question asked for the required certificate attributes. not the actual certificate that is required, but the certificate attributes. Private key and SAN are the only certificate attributes in the question. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/decryption-san
I'm thinking in that way too - question asks for cert attributes, not cert type.
Correct answer is B,C On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection
BC : On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. If your web server supports TLS 1.2 and PFS key exchange algorithms and your end-entity (leaf) certificate is signed by intermediate certificates, we recommend uploading a certificate chain (a single file) to the firewall. Uploading the chain avoids client-side server certificate authentication issues.
Sorry it BD , question is regarding ( What two attributes should the required certificate have? ) lillite confusing
Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.
The firewall needs the private key to decrypt the traffic, and the certificate of the server in order to properly perform decryption
BD Question asks for certificate ATTRIBUTES, not cert type.
B, D are talking about the attributes.
BD because the question asks for attributes.
B. A private key: The private key is necessary to decrypt the incoming SSL/TLS traffic so that it can be inspected. Without the private key, you won't be able to decrypt the traffic, which is a fundamental part of SSL Inbound Inspection. C. A server certificate: This certificate is used to establish the SSL/TLS connection with the client. It's presented to the client during the SSL handshake and is typically issued for the server's hostname or domain. This certificate is also used for re-encrypting the traffic after inspection.
I got this question in the exam
So which answer did you choose? Are we to choose the right answers (corrected by the users), or the wrong answers (provided by exam topics) on the exam to get it right?
It is a poorly written question but I guess they want us to go for B and C.
Poorly worded question but I say C because usually the intention of the question is not to be so tricky and shady. In our scenario there is no known requirement for SAN, so I'm thinking to not focus so specifically on the word attributes. The cert *must* have a private key and would need to support server authentication. I understand why many are suggesting D though due to the specific attribute verbiage.
SAN (subject alternative name) is required these days on all major browsers otherwise browsers throw and error. Even if the CN field matches, browsers require SAN to match the inbound server URL.
These are the only Certificate attributes in the available options.
A and B are best choices imho. 'You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail. "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection#:~:text=You%20can%20upload,in%20more%20detail
It´s tricky. If you go for "certificate attributes" in the sense of "certificate extensions", and regarding this link: https://knowledge.digicert.com/solution/SO18140.html then the only extensions are C: purpose = server certificate D: Subject alternate name (DNS) As it is inbound inspection I would assume, that it is for a web server which will nowadays always have a server certificate with subject alternate name. By the way, the "private key" is NOT an attribute of a SSL certificate. Anyway you have to import the server certificate including the private key.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection
B and C as You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection
On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. The firewall validates that the certificate sent by the targeted server during the SSL/TLS handshake matches a certificate in your Decryption policy rule. If there is a match, the firewall forwards the server's certificate to the client requesting server access and establishes a secure connection.
B is necessary. C I guess is the cert of the server that will be accessed by the users in the internet
I have never seen an exam written as bad as PCNSE. You need to have a server certificate with its private key to perform SSL Inbound Inspection. You can define SANs but they are not mandatory (in fact, you could deploy SSL Inbound Inspection WITHOUT defining any SAN).
if you don't have a SAN in the certificate, the browser will throw warnings when client opens up the webpage.
a server certificate is no attribute of a certificate + SAN Entry is required for all major browsers otherwise the browser will throw an error.