Certificates

Question 1

What is a public key certificate?

Answer 1

Binds a public key with a digital signature and details about the key holder.

Question 2

What adds trust in a digital signature?

Answer 2

Certificate Authorities (CAs) and the Web of Trust provide additional trust.

Question 3

Where can certificate creation be built into?

Answer 3

Part of Windows Domain services and through many third-party options.

Question 4

What standard format do digital certificates use?

Answer 4

X.509

Question 5

Name three details found in a digital certificate.

Answer 5

Serial number, issuer, public key.

Question 6

What is the root of trust?

Answer 6

An inherently trusted component in IT security, such as hardware or software.

Question 7

How can trust be built from something unknown?

Answer 7

Through approval from someone/something trustworthy.

Question 8

What is the role of a Certificate Authority (CA)?

Answer 8

It digitally signs website certificates, establishing trust.

Question 9

How are third-party CAs integrated?

Answer 9

They are built into web browsers to validate and trust websites.

Question 10

What is a Certificate Signing Request (CSR)?

Answer 10

A request sent to a CA that includes a public key for signing after creating a key pair.

Question 11

How does a CA validate a CSR?

Answer 11

By confirming DNS, emails, and website ownership.

Question 12

What defines a private certificate authority?

Answer 12

An in-house CA that issues certificates for internal use within an organization.

Question 13

What is a self-signed certificate?

Answer 13

A certificate signed by its own CA, used internally within a company.

Question 14

What is a wildcard certificate?

Answer 14

A certificate that applies to all server names in a domain, using a wildcard (e.g., *.example.com).

Question 15

What is a Subject Alternative Name (SAN)?

Answer 15

An extension to an X.509 certificate that lists additional identification information.

Question 16

What is a Certificate Revocation List (CRL)?

Answer 16

A list maintained by a CA that contains revoked certificates for various reasons.

Question 17

What was CVE-2014-0160?

Answer 17

The Heartbleed vulnerability that exposed private keys of affected web servers.

Question 18

What happens when a certificate is revoked?

Answer 18

It is listed in the CRL, indicating it should no longer be trusted.

Question 19

What can trigger key revocation?

Answer 19

Changes in security status, such as compromised private keys or expired certificates.

Question 20

What does OCSP stand for?

Answer 20

Online Certificate Status Protocol

Question 21

What is the primary purpose of OCSP?

Answer 21

To provide a scalable method for checking the status of certificates.

Question 22

Who is responsible for responding to client OCSP requests?

Answer 22

The Certificate Authority (CA) is responsible for responding to all client OCSP requests.

Question 23

What is a potential issue with the CA responding to OCSP requests?

Answer 23

It may not scale well with a large number of requests.

Question 24

How does the certificate holder contribute to OCSP?

Answer 24

The certificate holder verifies their own status, with status information stored on their server.

Question 25

What is “OCSP stapling”?

Answer 25

OCSP status information is stapled into the SSL/TLS handshake, digitally signed by the CA.

Question 26

How does a browser retrieve certificate revocation details?

Answer 26

The browser sends messages to an OCSP responder via HTTP to check for certificate revocation.

Question 27

Why is OCSP preferred over CRLs for revocation checks?

Answer 27

OCSP is more efficient than downloading a Certificate Revocation List (CRL).

Question 28

Do all browsers support OCSP?

Answer 28

No, not all browsers or applications support OCSP; early versions of Internet Explorer did not support it.

Question 29

What is a limitation of some browsers regarding OCSP?

Answer 29

Some browsers may support OCSP but do not actually check for certificate revocation.