Exam PCNSE topic 1 question 320 discussion

question asks what two attributes of a certicate are required, not what type of certificates are required. answer is B and D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection "On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection"

The firewall needs the private key to decrypt the traffic, and the certificate of the server in order to properly perform decryption

Question is poorly worded however keep in mind that: Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.

B is necessary. C I guess is the cert of the server that will be accessed by the users in the internet

On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. The firewall validates that the certificate sent by the targeted server during the SSL/TLS handshake matches a certificate in your Decryption policy rule. If there is a match, the firewall forwards the server's certificate to the client requesting server access and establishes a secure connection.

B and C as You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection

Poorly worded question but I say C because usually the intention of the question is not to be so tricky and shady. In our scenario there is no known requirement for SAN, so I'm thinking to not focus so specifically on the word attributes. The cert *must* have a private key and would need to support server authentication. I understand why many are suggesting D though due to the specific attribute verbiage.

It is a poorly written question but I guess they want us to go for B and C.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection

I got this question in the exam

Option D subject alternative name is irrelevant, this is only needed when one cert needs to cover multiple websites. For inbound decryption, you need the server certificate for the site and its private key.

It´s tricky. If you go for "certificate attributes" in the sense of "certificate extensions", and regarding this link: https://knowledge.digicert.com/solution/SO18140.html then the only extensions are C: purpose = server certificate D: Subject alternate name (DNS) As it is inbound inspection I would assume, that it is for a web server which will nowadays always have a server certificate with subject alternate name. By the way, the "private key" is NOT an attribute of a SSL certificate. Anyway you have to import the server certificate including the private key.

B. A private key: The private key is necessary to decrypt the incoming SSL/TLS traffic so that it can be inspected. Without the private key, you won't be able to decrypt the traffic, which is a fundamental part of SSL Inbound Inspection. C. A server certificate: This certificate is used to establish the SSL/TLS connection with the client. It's presented to the client during the SSL handshake and is typically issued for the server's hostname or domain. This certificate is also used for re-encrypting the traffic after inspection.

A and B are best choices imho. 'You can upload the server certificate and private key alone to the firewall if your web server supports only TLS 1.2 and the RSA key exchange algorithm and the server’s certificate chain (if the leaf certificate is signed by intermediate certificates) is installed on the server. SSL Inbound Inspection discusses each case in more detail. "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection#:~:text=You%20can%20upload,in%20more%20detail

These are the only Certificate attributes in the available options.

BD because the question asks for attributes.