Which of the following statements is consistent with SSL decryption best practices?

An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.

Which of the following statements is consistent with SSL decryption best practices?

A. The forward trust certificate should not be stored on an HSM.

B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.

C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption

D. The forward untrust certificate should not be signed by a Trusted Root CA

View Answer

Answer: B

Explanation:

According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on the fly for each site.

The best practices for configuring SSL forward proxy are23:

✑ Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients. This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors if they trust the forward trust certificate.

✑ Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust certificate.

This helps alert users of potential risks and prevent man-in-the-middle attacks.

✑ Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates, which is required for SSL forward proxy.