Exam PCNSE topic 1 question 453 discussion

I believe the answer is AD. The forward trust certificate should include the CA certificate to establish the trust chain. The forward trust certificate should have a SAN that includes the FQDN (Fully Qualified Domain Name) or IP address of the SSL Forward Proxy. Private key is not a certificate attribute.

ATTRIBUTES

A, D https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

Subject Alternative Name (SAN) is not mandatory for a forward trust certificate. It may be utilized to identify alternate names for the server presenting the certificate, employing attributes such as dNSName or iPAddress. Regarding the requirements for all certificates: Subject: The Common Name (CN) attribute serves to establish the identity of the entity presenting the certificate. It's worth noting that in certain certificates, the Subject Alternate Name extension can be utilized as an alternative means of specifying identity. In this particular context, it appears that the term "attributes" is not confined to the conventional attributes of a certificate, but rather refers broadly to its properties. Since there is only one attribute mentioned, SAN, and it's not obligatory, the answer likely consists of attributes that are essential for decrypting the traffic. Thus, the correct response could be A and B, as without these properties (or attributes), decrypting the traffic would not be feasible.

A & B is correct

Forward trust needs to be a CA cert and have the the private key so it can sign individual certs. These are not attributes but I think that is just poor question wording and this is what they mean. Server certificate is wrong because it needs to be a CA certificate SAN is wrong because this is not necessary and invalid when using a CA certificate

I think people are taking the word "attributes" too literally. A forward trust is *NOT* a server certificate and does *NOT* need to include SAN in any way. So C and D are definitely wrong. It *DOES* need to be a cert authority and have a private key though.

Horrible question!

It's A+B, only CA certificates can be set as forward (un)trust certificates and you need the private key in order to sign the MitM-Certificates on the fly. The question is a bit tricky as it is not asking about x.509 attributes, but the attributes in the certificate overview, and those are "CA" and "Private Key"

Definitely not a good list of answers and only one is correct (D) and I'm hoping (A) is just typed incorrectly on the test. Version Serial Number Signature Algorithm Issuer Valid From and Valid To Subject Public Key Subject Alternative Name (SAN) Basic Constraints Subject Key Identifier (SKI) Key Usage CRL Distribution Points Certificate Policies Extended Key Usage (EKU) Authority Key Identifier (AKI) Authority Info Access SCT List Thumbprint

This question is not good. It definitely needs to be a CA Certificate to be forward trust. It does not need a private key. A Server certificate is not an attribute. A SAN is an attribute so therefore, the answer is A D

I think A+ B are the only reasonable answers. You can configure the firewall to append the SAN of a requested server into the impersonation certificate it creates: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-san But this is part of the decryption profile and not of the forward trust cert.

B is not correct. on a certificate you have public key. The question is related to certificate attributes

Hello All, I think the question is worded not clearly. Certificate Attributes are, e.g Country, State, Locality, Department, IP, Hostnames, Organisation (OU), so none of the . Certificate Attributes match the answers here, so I would go with A and B as well because most obvious choices based on the PA docs shared so far. Let me know what you think,

BD, question is asking about certificate attributes. check this: https://knowledge.digicert.com/solution/SO18140.html

the correct options are A. A certificate authority (CA) certificate and B. A private key.

The answer is AB