Subject Common Name (CN) and Validity Period are the only required attributes.
That is a very poor question. Still, I would go for BD, is the best option
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection
"On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection"
SAN (subject alternative name) is required these days on all major browsers otherwise browsers throw and error. Even if the CN field matches, browsers require SAN to match the inbound server URL.
I have never seen an exam written as bad as PCNSE. You need to have a server certificate with its private key to perform SSL Inbound Inspection. You can define SANs but they are not mandatory (in fact, you could deploy SSL Inbound Inspection WITHOUT defining any SAN).
Question is poorly worded however keep in mind that: Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.
On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. The firewall validates that the certificate sent by the targeted server during the SSL/TLS handshake matches a certificate in your Decryption policy rule. If there is a match, the firewall forwards the server's certificate to the client requesting server access and establishes a secure connection.
B and C as You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection
Poorly worded question but I say C because usually the intention of the question is not to be so tricky and shady. In our scenario there is no known requirement for SAN, so I'm thinking to not focus so specifically on the word attributes. The cert *must* have a private key and would need to support server authentication. I understand why many are suggesting D though due to the specific attribute verbiage.
So which answer did you choose? Are we to choose the right answers (corrected by the users), or the wrong answers (provided by exam topics) on the exam to get it right?
Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.
It´s tricky. If you go for "certificate attributes" in the sense of "certificate extensions", and regarding this link: https://knowledge.digicert.com/solution/SO18140.html
then the only extensions are
C: purpose = server certificate
D: Subject alternate name (DNS)
As it is inbound inspection I would assume, that it is for a web server which will nowadays always have a server certificate with subject alternate name.
By the way, the "private key" is NOT an attribute of a SSL certificate. Anyway you have to import the server certificate including the private key.
B. A private key: The private key is necessary to decrypt the incoming SSL/TLS traffic so that it can be inspected. Without the private key, you won't be able to decrypt the traffic, which is a fundamental part of SSL Inbound Inspection.
C. A server certificate: This certificate is used to establish the SSL/TLS connection with the client. It's presented to the client during the SSL handshake and is typically issued for the server's hostname or domain. This certificate is also used for re-encrypting the traffic after inspection.
A and B are best choices imho.
'You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail. "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection#:~:text=You%20can%20upload,in%20more%20detail
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Alen
Highly Voted 2 years, 5 months agoRaaf_NL
1 year, 3 months agoALCOSTA35
4 months, 3 weeks agoTAKUM1y
Highly Voted 2 years, 5 months agodivi1
Most Recent 1 day, 16 hours agoCarlosDV06
2 months, 3 weeks agodivi1
1 day, 16 hours ago62c930f
4 months, 4 weeks agoYohinar
5 months ago362c603
6 months agoBau24
8 months, 2 weeks agoMostafaNawar
11 months, 3 weeks agoJared28
1 year, 1 month agoJRKhan
1 year, 3 months agoomgt2k2
1 year, 3 months agoscanossa
1 year, 3 months ago428cd48
1 year agoPaagee
1 year, 3 months agoArtbrut
1 year, 7 months agoelectro165
1 year, 7 months agoMojo413
1 year, 9 months ago