CAS-001 · Question #527
CAS-001 Question #527: Real Exam Question with Answer & Explanation
The correct answer is A: Install a self-signed Root CA certificate on the proxy server.. For a transparent SSL/TLS inspection proxy (SSL bump), three things must be in place: (1) A self-signed Root CA certificate on the proxy (A) - the proxy dynamically generates per-site certificates signed by its own CA, impersonating the destination server to decrypt and re-encryp
Question
Options
- AInstall a self-signed Root CA certificate on the proxy server.
- BThe proxy configuration of all users' browsers must point to the proxy IP.
- CTCP port 443 requests must be redirected to TCP port 80 on the web server.
- DAll users' personal certificates' public key must be installed on the proxy.
- EImplement policy-based routing on a router between the hosts and the Internet.
- FThe proxy certificate must be installed on all users' browsers.
Explanation
For a transparent SSL/TLS inspection proxy (SSL bump), three things must be in place: (1) A self-signed Root CA certificate on the proxy (A) - the proxy dynamically generates per-site certificates signed by its own CA, impersonating the destination server to decrypt and re-encrypt traffic. (2) Policy-based routing on a router (E) - since it's a transparent proxy, users do not manually configure their browsers. Traffic must be silently redirected to the proxy at the network layer using policy-based routing or WCCP. (3) The proxy's CA certificate installed in all users' browsers (F) - for browsers to trust the dynamically generated certificates the proxy presents, they must trust the proxy's CA. Option B (explicit browser proxy config) contradicts a transparent proxy design. Option C (redirecting 443 to 80) would break HTTPS. Option D (user personal certificates on the proxy) is unnecessary for this architecture.
Community Discussion
No community discussion yet for this question.