Exam PCNSE topic 1 question 447 discussion

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection We recommend uploading a certificate chain (a single file) to the firewall if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLS 1.2 and Rivest, Shamir, Adleman (RSA) or Perfect Forward Secrecy (PFS) key exchange algorithms. Uploading the chain avoids client-side server certificate authentication issues. You should arrange the certificates in the file as follows: End-entity (leaf) certificate Intermediate certificates (in issuing order) (Optional) Root certificate

End-Entity certificate: This should also be uploaded as it represents the server's certificate. Intermediate certificate(s): These must be uploaded to complete the chain. Root certificate: (Optional) Normally not uploaded to the Palo Alto firewall as it is already included in the trust store. (because it is public, if you ask how we can be sure whether it is public or not : since users from internet should also trust this root ca so it should be public)

For public inbound access you need the cert chain root and intermediates and the private key of the server certificate, poorly worded question, but B is the closest to correct.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection#:~:text=Uploading%20the%20chain,in%20more%20detail.

B. Root CA and Intermediate CA(s). When performing SSL Inbound Inspection, the firewall acts as a trusted intermediary between the client and the server. To establish trust with the client, the firewall must present a certificate chain that includes the Root CA and any intermediate CA(s) that issued the server's certificate. The Root CA certificate is the highest-level certificate in the certificate chain and is responsible for signing the intermediate CA certificates. The intermediate CA certificates, in turn, issue the server's end-entity certificate.

A. On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection. If your web server supports TLS 1.2 and PFS key exchange algorithms and your end-entity (leaf) certificate is signed by intermediate certificates, we recommend uploading a certificate chain (a single file) to the firewall. Uploading the chain avoids client-side server certificate authentication issues. We recommend uploading a certificate chain (a single file) to the firewall if your end-entity (leaf) certificate is signed by one or more intermediate certificates and your web server supports TLS 1.2 and PFS key exchange algorithms. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkoCAC

I think it is A, but not entirely clear from the PAN docs: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection Uploading the chain avoids client-side server certificate authentication issues. You should arrange the certificates in the file as follows: End-entity (leaf) certificate Intermediate certificates (in issuing order) (Optional) Root certificate

"On the firewall, you must install the certificate and private key for each server for which you want to perform SSL Inbound Inspection"