3.9 Implement Public Key Infrastructure

Question 1

Policies, procedures, hardware, software, and people involved in creating, distributing, and managing digital certificates.

Answer 1

Public key infrastructure (PKI)

Question 2

What are the 6 steps to the Public key management lifecycle?

Answer 2

Key generation
Certificate generation
Distribution
Storage
Revocation
Expiration

Question 3

What is the only way to trust a certificate is valid?

Answer 3

Using the digital signature

Question 4

When creating a key pair, which key would you send to the CA to be digitally signed?

Answer 4

Public key

Question 5

What kind of organizations almost always should have their own internal CA?

Answer 5

Medium to large organizations with 100s of servers

Question 6

What is the best way to provide redundancy to a CA infrastructure?

Answer 6

Make it hierarchical

Question 7

What is the registration authority? (RA)

Answer 7

RA identifies and authenticates the requester

Responsible for cert revocations

Question 8

The fully qualified domain name (FQDN) for a website on a certificate.

Answer 8

Common name (CN)

Question 9

What is the subject alternative name (SAN) on a website certificate?

Answer 9

additional host names for the site (i.e. www.google.com and google.com)

Question 10

What is the CRL that is maintained by the CA?

Answer 10

Certificate revocation list

Question 11

A check that is done by your browser to check for a certificate revocation without downloading the entire CRL.

Answer 11

Online Certificate Status Protocol (OCSP)

Question 12

The certificate that lies at the start of the PKI infrastructure. All subsequent certificates will branch off of this one.

Answer 12

Root certificate

Question 13

When do you use self-signed certificates?

Answer 13

When you don’t need to distribute the certificate externally

Question 14

What is the standard used when working with certificates?

Answer 14

X.509 Standard

Question 15

Encoding format designed to transfer syntax for data structures, and is perfectly suited for certificates. Represented in binary format.

Answer 15

Distinguished Encoding Rules (DER)

Question 16

Container format for storing multiple certificates or keys in a single container. Derived from Microsoft’s .pfx format

Answer 16

PKCS #12`

Question 17

What’s the benefit for keeping one or more CAs offline?

Answer 17

Easily recover if an intermediate CA is compromised

Question 18

This provides scalability to OCSP process of certificate revocation checking. Allows OCSP status information to be sent with the SSL/TLS handshake.

Answer 18

OCSP stapling

Question 19

Process of adding a certificate or public key to an application the first time it runs so you can compare it with the cert on the server.

Answer 19

Pinning

Question 20

PGP is a web of trust. What does this mean?

Answer 20

There is no central CA. Certificates are signed and trusted within the network

Question 21

What is it called when a third party manages your private keys?

Answer 21

Key escrow

Question 22

Allows you to see and validate all certificates between the server issuing a certificate and the root CA.

Answer 22

Certificate chaining