Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?
A. The certificate is too weak to provide adequate security.
B. The certificate is regenerated at each reboot.
C. The certificate must be managed by the local CA.
D. The default X.509 certificate is not supported for SSLVPN.
Good point default certs do not require local CA.
Answer is B
B is the correct
Note: By default, the ASA generates a self-signed X.509 certificate upon startup. This certificate is used in order to serve client connections by default. It is not recommended to use this certificate because its authenticity cannot be verified by the browser. Furthermore, this certificate is regenerated upon each reboot so it changes after each reboot.
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
B is the correct answer. The certificate used for SSL VPN doesn’t HAVE to be managed by any local CA. It can be the default certificate, but if it is – the will be re-generated on each reboot.