Exam PCNSE topic 1 question 492 discussion

ACD. The question is asking "When certificates are being imported", not "which certificates are generally imported". All certificates listed with the exception of the End-entity cert could be generated on the firewall. Forward Trust (SSL Forward Proxy), Forward Untrust (SSL Forward Proxy), and End-entity (SSL Inbound Inspection) certificates require private keys for the firewall to act as the client (SSL Forward Proxy) or server (SSL Inbound Inspection) in the decyreption process. The Root CA and Intermediate certs only require a public key to verify the signature of subordinate certs. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies

For SSL Forward proxy. If server certificate is trusted - firewall signs a copy of a server certificate with a forward trust certificate. If server certificate is untrusted - Firewall signs a copy of a server certificate with a forward untrust certificate. To sign a copy of a server certificate you need a private key. So A & C. For SSL Inbound inspection. You need to have a server certificate and key to inspect the traffic. So D.

ACD A for untrust C for forward trust D for inbound.

answer is ACD : Enterprise Root CA certificate : The private key associated with the Enterprise Root CA certificate is not needed for SSL decryption on the firewall. The root CA's public key is used to verify the authenticity of the certificate chain, but the private key is not used in the decryption process. Intermediate certificate : Similar to the root CA certificate, the private keys for intermediate certificates are not needed for SSL decryption on the firewall. They are part of the certificate chain used for validation, but the firewall does not require their private keys for decryption purposes.

if we go by elimination , the Fwrd Untrust and end-entery certificates dont have Private Key. so its BCE

BCD are correct

100% not A. Forward Untrust section says nothing about private keys. Private keys are explicitly called out for Forward Trust, both intermediate and end-entity certs depend on the private key of the Enterprise Root CA, which may or may not be on the FW itself so I'm not sure, but definitely not A. "Click Generate at the bottom of the certificates page. Enter a Certificate Name, such as my-ssl-fwd-untrust. Set the Common Name, for example 192.168.2.1. Leave Signed By blank. Click the Certificate Authority check box to enable the firewall to issue the certificate. Click Generate to generate the certificate. Click OK to save. Click the new my-ssl-fwd-untrust certificate to modify it and enable the Forward Untrust Certificate option." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21

I think it's BCE..

How to Configure SSL Decryption- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC This link has a video and might be helpful for understanding this topic, though the answer to this question isn't directly given, unfortunately. When talking about the Forward Untrust Certificate, it does mention, "uncheck Export private key, as it’s not required", so maybe not Answer A. It also says about Inbound SSL Decryption, "To configure this properly, the administrator imports a copy of the protected server’s certificate and key." So yes to Answer D.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-inbound-inspection https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/configure-ssl-forward-proxy#idb39a2a9b-9c02-413b-ab1c-dc687b7bcb21 A - doesnt matter since it's untrusted E - if applicable is used to sign leaf (the server certs for inbound proxy) and forward untrust.

the correct choices are C. Forward Trust certificate, D. End-entity (leaf) certificate, and E. Intermediate certificate(s).

They are asking which certs require a private key...nothing about importing them or such, just which ones require it. Via McDrudge's link you definitely need a private key for a CA so it can sign the forward trust cert. The forward trust cert i think we all agree needs to have it. The intermediate also needs it.

BCD are correct. Untrust is self-signed and is not imported. Question mentioned SSL Inbound Inspection which uses leaf certificates of servers with private key. Enterprise CA is needed for chain of trust for the Forward Trust Certificate. Both of which are imported with their associate private keys.

ACD. See McDrudge link.

ACD, per McDrudge's text.

I think it's BCE. Forward Untrust Certificate don't need to be imported. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy

ACE are correct