PCNSE Question #589: Real Exam Question with Answer & Explanation

Question

Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?

Options

• AThe forward trust certificate has not been signed by the set-singed root CA certificate
• BThe self-signed CA certificate has the same CN as the forward trust and untrust certificates
• CThe forward untrust certificate has not been signed by the self-singed root CA certificate
• DThe forward trust certificate has not been installed in client systems

Explanation

In SSL Forward Proxy decryption, when a user visits a trusted SSL site, the firewall intercepts the connection and dynamically generates a new certificate for the site, signed using the firewall's Forward Trust certificate. For the browser to trust this re-signed certificate, the Forward Trust certificate itself must be signed by (chained to) a CA that the browser already trusts - in this case, the self-signed root CA installed on client systems. If the Forward Trust certificate is not signed by that root CA, the browser cannot build a valid trust chain, and will display an 'unsecured website' warning. Installing the root CA on clients (done here) is necessary but not sufficient - the Forward Trust cert must also be signed by that same root CA.

No community discussion yet for this question.