Fortinet NSE 4 (Security) - 06. Certificate Operations Practice Exam Questions and Answers (100% Pass)

Fortinet NSE 4 (Security) - 06. Certificate Operations Practice Exam Questions and Answers (100% Pass) What is the certificate standard supported by FortiGate? - Answer️️ -X.509v3 (the most common standard for certificates) Which certificate store is utilized by FortiOS? - Answer️️ -Mozilla CA What four checks does FortiGate run prior to trusting a certificate? - Answer️️ -1. Check the CRLs both locally and using OCSP 2. Read the value of the Issuer filed to determine if there is a corresponding CA certificate (if there is no CA certificate, the certificate is not trusted) 3. Verifies the current date is between the Valid From and Valid To values 4. Validates the signature What is the process a CA uses to create a digital signature? - Answer️️ -1. CA runs the contents of certificate through a hash, which is referred to as the original hash result 2. The CA encrypts the original hash result using its private key, the result of which is the digital signature What is the process FortiGate uses to verify the digital signature? - Answer️️ -1. FortiGate runs the certificate through a hash function, which has been identified in the certificate 2. FortiGate decrypts the digital signature provided by the CA using the CA public key ©PREP4EXAMS2024/2025 REAL EXAMS DUMP Wednesday, August 7, 2024 9: 33 PM 2 3. FortiGate compares the values from Steps 1 & 2 above to confirm they match. Match = valid signature What is the process of establishing an SSL handshake? - Answer️️ -1. FortiGate connects to the web server and provides information such as the SSL version in use and cryptographic algorithms supported 2. Web server responds with chosen SSL version and cipher suite, as well as a copy of its certificate 3. FortiGate validates web server certificate (Does it have corresponding CA cert?, Signature valid?, Valid dates?, Revocation check?) 4. FortiGate generates the premaster secret, using the web server's public key to encrypt 5. Web server uses private key to decrypt premaster secret 6. Both sides derive the master secret based on the premaster secret 7. Session (symmetric) key is generated based on the shared master secret 8. Both ends send a digest (summary) of the messages exchanged so far. The digests are encrypted with the session key, and ensure than none of the messages have been intercepted or replaced By default, what does SSL use to discern the hostname of the SSL server at the beginning of the SSL handshake? - Answer️️ -Server Name Identification (SNI) from client Hello, which is an extension of the TLS protocol If there is no SNI (Server Name Identification) exchanged during the SSL handshake, what does SSL use to identify the server? - Answer️️ -The value in the Subject field or SAN (Subject Alternative Name) field in the server certificate ©PREP4EXAMS2024/2025 REAL EXAMS DUMP Wednesday, August 7, 2024 9: 33 PM 3 What are the only security features you can apply using SSL certificate inspection mode? - Answer️️ -Web Filtering and Application Control How do you enable SSL certificate inspection? - Answer️️ -Select the read-only, preconfigured certificate-inspection SSL/SSH Certificate Inspection when configuring a firewall policy When using full SSL inspection, the FortiGate must act as a proxy web server, what settings must be configured in the certificate? - Answer️️ -cA=True AND keyUsage=keyCertSign What are the two possible configurations for full SSL inspection? - Answer️️ - Outbound (i.e., internal devices connecting to external devices) a