Option A. The FWDtrust is a CA certificate type capable of signing other certificates.
That means either it's a Root Certificate or Intermediate certificate. If it was a Root Certificate, then you wouldn't get that warning. That means the certificate is an intermediate and you need to import its Root Certificate.
The answer is D. When importing a CA certificate, the full certificate chain must be present in the certificate information for proper identification/verification.
A can't be true because the certificate in question is imported is a CA cert.
B can't be true because the certificate in question is imported as a trusted root CA.
C can't be true because SSL Forward proxy can be set up using self-signed certs.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-forward-proxy.html
The certificate in the screenshot is a CA, because it has to be a CA for forward trust. The issue is that FWDTrust's (Which is CN = "Lab-SRV2016...") does not have its CA imported. If it were the CA of its chain, the subject would match the issuer.
Answer A is correct: It is only best practice, not mandatory, to import the full certificate chain for a forward trust certificate, and hence only a warning, not a commit failure.
Answer D is incorrect: The certifictae DOES have an issuer - see the "Issuer" field.
If you look at the subject, you will see that there's another certificate which signs the FWDtrust. In fact, it is not a self signed certificate because of that statement, so D is ambigous compared to A, because the FWDtrust does has a certificate chain, just that it's not -imported- into the fw.
D is the answer because the image show us the CA and Key checkboxes, telling us that is a self signed Root CA without a certificate, in other words without a chain and according to warning show in screen.
D here aslo, FWDtrust cert has been imported but the firewall could not verify it and asks for the Cert Chain (import either Root or Intermediate that validates FWDtrust)
Under issuer, it tells us which root CA signed the FWDTrust certificate. Correct answer is A. FWDTrust needs to be a CA (intermediate in this case) in order for it to be able to sign the server certs so that clients accessing an external server or website can tell if the firewall trusts those server certs or not.
D. The problem, as it says itself, is that it does not have a complete chain of trust. The solution would be to add in any intermediate CAs that the NGFW doesn't have as root CAs to restore the chain, but the problem is the chain.
D is ambiguous. D is saying that there is no certificate chain for that cert, but there is because the issuer for the FWDTrust is not the same CN as the subject of FWDTrust
Hi Team to add It is A as other users have done I tested this as well.
If you're using an External/Internal PK, you need to ensure to import the Root CA, in which once you create, generate your CSR, and reimport the Trust cert into the Firewall. The Turst cert should fall into the COC. If this was a self-signed cert (as I have also labbed) you can simple have that on the FW without a COC.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AdamLolzSmith
Highly Voted 3 years, 9 months agoPrutser2
3 years, 7 months agotrashboat
Highly Voted 3 years, 9 months agokerberos
3 years, 4 months agohomersimpson
3 years, 2 months agomyname_1
2 years, 2 months agokabuelenain
Most Recent 1 week, 6 days agoCarlosDV06
1 month, 2 weeks agoeca4765
1 month, 2 weeks agoevdw
1 month, 3 weeks agoj4v13rh4ack
3 months agohcir
8 months, 2 weeks agoForces12
5 months agoJRKhan
1 year, 1 month agoMicutzu
1 year, 4 months agoMicutzu
1 year, 4 months ago455_qq
2 years, 7 months agoJared28
2 years, 11 months agounknid
3 years agoKane002
3 years, 3 months agomyname_1
2 years, 2 months agoBiz90
3 years, 3 months agoFS68
3 years, 4 months ago