Exam PCNSE topic 1 question 440 discussion

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

The Forward Trust Certificate must be installed on client system and it isn't mandatory that it is signed by a self-signed CA or External CA. It is already a CA

Answer A is correct as written by user:

This is really tricky question. I think the answer is A the logic is from this document. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy# Step 3 says If you don’t install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit. But again in the step 3 notes section its mentioned that :- Export the firewall Trusted root CA certificate so that you can import it into client systems. Highlight the certificate and click Export at the bottom of the window. Choose PEM format. So in this case , the admin has installed root cert on the client machines.

The self-signed root certificate and the trusted forward certificate both share the same Common Name (CN), which is "192.168.127.14", and they are both issued by themselves, indicating a self-signed status. It appears that the trusted forward certificate could indeed be self-signed, given the information provided. Since the host doesn't trust the Trusted Forward certificate, but would trust it if it were signed by the Self-Signed Root, it suggests that the Trusted Forward certificate is also self-signed. This alignment in certificate attributes explains the appearance of the untrusted warning. Hence, the answer is A.

Forward-trust CA cert must be signed by an already-trusted (enterprise OR self-signed) root CA. In this case, the self-signed root CA cert has already been installed on clients. So, all that's left is for the forward-trust cert to be signed by the already-trusted self-signed root CA. Thus, I'd go with A.

B is correct. Think of forward trust CA cert as an intermediate cert which signs the copy of the actual server cert. It needs to be installed on the client systems along with the root cert to complete the cert chain.

I would go with A coz even if the Admin installs the self singed root CA in all the clients whenever they go out to an SSL site (server) the certificate of that site(server) should be singed by the forward trust cert

See Betty 2022

It should be B: The question refers to a self-signed Root CA certificate. Step2 - has 2 options https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy > Use an enterprise CA-signed certificate as the Forward Trust certificate or > Use a self-signed certificate as the Forward Trust certificate Step3: If you are using an enterprise-CA signed certificate as the forward trust certificate for SSL Forward Proxy decryption, and the client systems already have the enterprise CA installed in the local trusted root CA list, you can skip this step. (The client systems trust the subordinate CA certificates you generate on the firewall because the Enterprise Trusted Root CA has signed them.) --- Since we use self-signed certificate, we cant skip Step 3,so: Distribute the forward trust certificate to client system certificate stores. If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit.

the self signed CA of the FW means nothing to client machines, unless either it or the FT cert have been installed on the client machine. Definitely B.

The forward trust can be signed by the Enterprise CA. The forward trust certificate is not signed by a self-signed cert, but can be a self-signed CA.This only leaves B as a correct answer if we assume the forward trust cert is self-signed and not an Enterprise signed CA. "If you do not install the forward trust certificate on client systems, users see certificate warnings for each SSL site they visit." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

Possible answer is A or B if the forward trust is signed by the trusted root you don't need to install it on the client (Probably, never tested it myself). if the forward trust is not signed by the trusted root you need to install it on the client (Tested on PAN-OS 10.1.8). since in this case the forward is not signed i choose B

Absolutely A. If the client installed CA hasn't signed the cert, it will not be trusted.

should be A

Yes, should be A. The cert. was issued by itself, not the ROOT cert.