Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 154

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs): i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-Intermediate-CA iv. Enterprise-Root-CA, which is verified only as Trusted Root CA
An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com. The firewall does the SSL
Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.
The end-user's browser will show that the certificate for www. example-website.com was issued by which of the following?

Answer options

• A. Enterprise-Trusted-CA which is a self-signed CA
• B. Enterprise-Root-CA which is a self-signed CA
• C. Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA
• D. Enterprise-Untrusted-CA which is a self-signed CA

Correct answer: D

Explanation

The correct answer is D because the firewall does not trust the server certificate, and therefore it shows that the certificate was issued by the Enterprise-Untrusted-CA. Options A, B, and C are incorrect as they refer to CAs that are either trusted or intermediate, which does not apply to the untrusted context of the server certificate.