3.9

Question 1

Public key infrastructure (PKI)

Answer 1

Public Key Infrastructure (PKI) is asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates.

Question 2

Key management

Answer 2

Key management is the set of activities that an organization must undertake to ensure that keys enable proper cryptography and do not cause security issues.

Question 3

Certificate authority (CA)

Answer 3

The Certificate Authority (CA) is the ultimate authority as it holds the master key, also known as the root key, for signing all of the certificates that it gives to the Intermediary who issues the certificate to the requester.

Question 4

Intermediate CA

Answer 4

Issues the certificates to the requester.

Question 5

Registration authority (RA)

Answer 5

The RA validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue thecertificates. The certificates that are issued are known as X509 certificates.

Question 6

Certificate revocation list (CRL)

Answer 6

This is the first stage in checking whether a certificate is valid. If the certificate is not valid, it will be entered into the CRL. If the X509 is in the CRL, it is no longer valid and will not be accepted. No matter how obscure the question posed in the exam, unless it is going slow or you are looking for a faster lookup, it will be the CRL that provides certificate validity. No matter the scenario, the CRL, is the default.

Question 7

Certificate attributes

Answer 7

A digital certificate binds an individual’s identity to a public key, and it contains all the information a receiver needs to be assured of the identity of the public key owner. The certificates are created and formatted based on the X.509 standard, which outlines the necessary fields of a certificate and the possible values that can be inserted into the fields.

Question 8

Online Certificate Status Protocol (OCSP)

Answer 8

Only when the CRL is going slow will the OCSP come into play. It is much faster than the CRL and can take a load from the CRL in a very busy environment.

Question 9

Certificate signing request (CSR)

Answer 9

This is the process of requesting a newcertificate.

Question 10

CN

Answer 10

The Common Name (CN) field is represented in the Subject field of the certificate and is the fully qualified domain name (FQDN) for which the certificate is valid.

Question 11

Subject alternative name

Answer 11

Subject Alternative Name (SAN) is a field (extension) in a certificate that has several uses. In certificates for machines, it can represent the FQDN of the machine. For users, it can be the user principal name (UPN) or, in the case of an SSL certificate, it can indicate multiple domains across which the certificate is valid.

Question 12

Expiration

Answer 12

A certificate itself has a lifetime that can be different from the key pair’s lifetime. The certificate’s lifetime is specified by the validity dates inserted into the digital certificate. These are beginning and ending dates indicating the time period during which the certificate is valid.

Question 13

Wildcard Certificate

Answer 13

For a wildcard certificate for a domain called securityplus.training, the wildcard certification would be *.securityplus.training and could be used for the domain and a subdomain. For example, in the securityplus.training domain, there are two servers called web and mail. The wildcard certification is *.securityplus.training and, when installed, it would work for the Fully Qualified Domain Names (FQDNs) of both of these—web.securityplus.training and mail.securityplus.training.

Question 14

Subject Alternate Name Certificate

Answer 14

An SAN certificate can be used on multiple domain names, such as abc.com or xyz.com. You can also insert other information into a SAN certificate, such as an IP address.

Question 15

Code Signing certificate

Answer 15

Code-signing certificates are used to digitally sign software so that its authenticity is guaranteed.

Question 16

Self-Signed Certificate

Answer 16

A self-signed certificate is issued by the same entity that is using it. However, it does not have a CRL and cannot be validated or trusted. It is the cheapest form of internal certificates and can be placed on multiple servers.

Question 17

Machine/computer Certificate

Answer 17

A computer or machine certificate is used to identify a computer within a domain.

Question 18

Email Certificate

Answer 18

Digital certificates can be used with e-mail systems for items such as digital signatures associated with e-mails. Just as other specialized functions such as code signing have their own certificates, it is common for a separate e-mail certificate to be used for identity associated with e-mail.

Question 19

User Certificate

Answer 19

User certificates are just that—certificates that identify a user. They are an example of an end-entity certificate.

Question 20

Root Certificate

Answer 20

A root certificate is a certificate that forms the initial basis of trust in a trust chain. All certificates are signed by the CA that issues them, and CAs can be chained together in a trust structure.

Question 21

Domain Validation Certificate

Answer 21

A Domain-Validated (DV) certificate is an X.509 certificate that proves the ownership of a domain name.

Question 22

Extended Validation Certificate

Answer 22

Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate. It would normally be used in the financial arena.

Question 23

Distinguished encoding rules(DER)

Answer 23

Distinguished Encoding Rules (DER) is one of the Abstract Syntax Notation One (ASN.1) encoding rules that can be used to encode any data object into a binary file. With respect to certificates, the data associated with the certificate, a series of name-value pairs, needs to be converted to a consistent format for digital signing. DER offers a consistent mechanism for this task. A DER file (.der extension) contains binary data and can be used for a single certificate.

Question 24

Privacy enhanced mail(PEM)

Answer 24

Privacy-Enhanced Mail (PEM) is the most common format used by certificate authorities when issuing certificates. PEM comes from RFC 1422 and is a Base64-encoded ASCII file that begins with “—–BEGIN CERTIFICATE—–”, followed by the Base64 data, and ends with “—–END CERTIFICATE—–”. A PEM file supports multiple digital certificates, including a certificate chain.

Question 25

Personal Information Exchange(PFX)

Answer 25

A PKCS#12 file is a portable file format with a .pfx extension. It is a binary format for storing the server certificate, intermediate certificates, and the private key in one file. Personal Information Exchange (PFX) files are typically used on Windows machines to import and export certificates and private keys.

Question 26

.cer

Answer 26

The .cer file extension is used to denote an alternative form, from Microsoft, of CRT files. The .cer/.crt extension is used for certificates and may be encoded as binary DER or as ASCII PEM. The .cer and .crt extensions are nearly synonymous. The .cer extension is most commonly associated with Microsoft Windows systems, whereas .crt is associated with UNIX systems.

The file extension .cer is an SSL certificate file format used by web servers to help verify the identity and security of the site in question.

Question 27

p12

Answer 27

P12 is an alternative file extension for a PKCS#12 file format, a binary format for storing the server certificate, intermediate certificates, and the private key in one encrypted file. These files usually have an extensions such as .pfx or .p12. They are typically used on Windows machines to import and export certificates and private keys.

Question 28

P7B

Answer 28

The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. A P7B file begins with “—–BEGIN PKCS7—–” and only contains certificates and chain certificates (intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.

Question 29

Online vs. Offline CA

Answer 29

Online CA: An internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night. This would not be the case in a government or top-security environment.

Offline CA: An offline CA is for a military or secure environment where clearance and vetting must be completed before someone can be issued with a certificate. The CA is kept offline and locked up when it is not being used. It is switched off so that it cannot issue new certificates.

Question 30

Stapling

Answer 30

Certificate stapling, also known as OCSP stapling, is used when a web server bypasses the CRL to use the OCSP for faster certificate validation.
TIP

Certificate validity can only be done by the CRL or OCSP. The CRL is the default, the OCSP is used when you are looking for a faster validation.

Question 31

PInning

Answer 31

Certificate pinning prevents the compromising of the CA and the issuing of fraudulent X509 certificates. It prevents SSL man-in-the-middleattacks.
TIP

Certificate pinning prevents the compromising of the CA, certificate fraud, and SSL man-in-the-middle attacks.

Question 32

Trust Model

Answer 32

Trust Model: A trust model proves the authenticity of a certificate; there are two trust models:

a. Hierarchical Trust Model: This uses a hierarchy from the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model.
b. Bridge Trust Model: The bridge trust model is peer-to-peer, where two separate PKI environments trust each other. The certificate authorities communicate with each other, allowing for cross-certification. Sometimes, this is referred to as the trustmodel.

Question 33

Key Escrow

Answer 33

The key escrow holds the private keys for third parties and stores them in a Hardware Security Module (HSM), a device that can store digital keys.

Question 34

Certificate Chaining