A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
To deploy SSL Forward Proxy decryption, a forward trust certificate must include a certificate authority (CA) certificate to establish trust, and a private key to decrypt the SSL traffic and re-encrypt it while acting as an intermediary. The CA certificate is essential for the proxy to generate new certificates for secure sites visited by clients. The private key is necessary for the proxy to decrypt and re-encrypt the traffic passing through it. These two components ensure that the intermediary can properly perform its forwarding and decrypting functions, maintaining secure communication. Attributes like server certificates or subject alternative names are not relevant or necessary in this context.
I believe the answer is AD. The forward trust certificate should include the CA certificate to establish the trust chain. The forward trust certificate should have a SAN that includes the FQDN (Fully Qualified Domain Name) or IP address of the SSL Forward Proxy. Private key is not a certificate attribute.
Forward trust needs to be a CA cert and have the the private key so it can sign individual certs. These are not attributes but I think that is just poor question wording and this is what they mean. Server certificate is wrong because it needs to be a CA certificate SAN is wrong because this is not necessary and invalid when using a CA certificate
I think people are taking the word "attributes" too literally. A forward trust is *NOT* a server certificate and does *NOT* need to include SAN in any way. So C and D are definitely wrong. It *DOES* need to be a cert authority and have a private key though.
Definitely not a good list of answers and only one is correct (D) and I'm hoping (A) is just typed incorrectly on the test. Version Serial Number Signature Algorithm Issuer Valid From and Valid To Subject Public Key Subject Alternative Name (SAN) Basic Constraints Subject Key Identifier (SKI) Key Usage CRL Distribution Points Certificate Policies Extended Key Usage (EKU) Authority Key Identifier (AKI) Authority Info Access SCT List Thumbprint
This question is not good. It definitely needs to be a CA Certificate to be forward trust. It does not need a private key. A Server certificate is not an attribute. A SAN is an attribute so therefore, the answer is A D
BD, question is asking about certificate attributes. check this: https://knowledge.digicert.com/solution/SO18140.html
Subject Alternative Name (SAN) is not mandatory for a forward trust certificate. It may be utilized to identify alternate names for the server presenting the certificate, employing attributes such as dNSName or iPAddress. Regarding the requirements for all certificates: Subject: The Common Name (CN) attribute serves to establish the identity of the entity presenting the certificate. It's worth noting that in certain certificates, the Subject Alternate Name extension can be utilized as an alternative means of specifying identity. In this particular context, it appears that the term "attributes" is not confined to the conventional attributes of a certificate, but rather refers broadly to its properties. Since there is only one attribute mentioned, SAN, and it's not obligatory, the answer likely consists of attributes that are essential for decrypting the traffic. Thus, the correct response could be A and B, as without these properties (or attributes), decrypting the traffic would not be feasible.
A & B is correct
B is not correct. on a certificate you have public key. The question is related to certificate attributes
Question is asking about attributes people.
A, D https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Horrible question!
It's A+B, only CA certificates can be set as forward (un)trust certificates and you need the private key in order to sign the MitM-Certificates on the fly. The question is a bit tricky as it is not asking about x.509 attributes, but the attributes in the certificate overview, and those are "CA" and "Private Key"
I think A+ B are the only reasonable answers. You can configure the firewall to append the SAN of a requested server into the impersonation certificate it creates: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-san But this is part of the decryption profile and not of the forward trust cert.
B is incorrect. A certificate never contains a private key but instead a public key.
Hello All, I think the question is worded not clearly. Certificate Attributes are, e.g Country, State, Locality, Department, IP, Hostnames, Organisation (OU), so none of the . Certificate Attributes match the answers here, so I would go with A and B as well because most obvious choices based on the PA docs shared so far. Let me know what you think,
the correct options are A. A certificate authority (CA) certificate and B. A private key.
The answer is AB