Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 178

An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?

Answer options

• A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
• B. Use an enterprise CA-signed certificate for the Forward Untrust certificate.
• C. Use the same Forward Trust certificate on all firewalls in the network.
• D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

Correct answer: A

Explanation

The correct answer is A because obtaining an enterprise CA-signed certificate for the Forward Trust certificate ensures that the decryption process is trusted within the organization. Option B is incorrect as it pertains to the Forward Untrust certificate, which is not a best practice. Option C is wrong because using the same Forward Trust certificate on all firewalls can lead to security vulnerabilities. Option D is also incorrect since a publicly trusted root CA certificate is not necessary for internal SSL decryption.