Chapter 2 Implementing Public Key Infrastructure Flashcards
What type of certificate does a CA have?
A CA has a root certificate, which it uses to sign keys.
If you are going to use a CA internally, what type of CA should you choose?
You would use a private CA for internal use only; these certificates will not be
accepted outside of your organization
If you want to carry out B2B activity with third-party companies or sell products on
the web, what type of CA should you use?
You would use a public CA for B2B activities.
Why should you take your CA offline when not in use?
If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it from being compromised.
What type of encryption does PKI use?
PKI uses asymmetric encryption.
Who signs X509 certificates?
The CA signs the X509 certificates
What can you use to prevent your CA from being compromised and fraudulent
certificates from being issued?
Certificate pinning can be used to prevent a CA from being compromised and
fraudulent certificates from being issued
If two entities want to set up a cross-certification, what must they set up first?
If two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves, known as a bridge trust model.
What type of trust model does PGP use?
PGP uses a trust model known as a web of trust
How can you tell whether your certificate is valid?
A Certificate Revocation List (CRL) is used to determine whether a certificate
is valid
If the CRL is going slowly, what should you implement?
If the CRL is going slow, you should use OCSP as it provides faster validation.
Explain certificate stapling/OCSP stapling
Certificate stapling/OCSP stapling is where a web server uses an OCSP for faster certificate authentication, bypassing the CRL.
What is the process of obtaining a new certificate?
You would submit a Certificate Signing Request (CSR) to request a new certificate.
What is the purpose of the key escrow?
The key escrow stores and manages private keys for third parties
What is the purpose of the HSM?
A hardware security module (HSM) is used by the key escrow to securely store and manage certificates.
What is the purpose of the DRA, and what does it need to complete its role effectively?
The purpose of the DRA is to recover data when a user’s private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow.
How can you identify each certificate?
Each certificate can be identified by its OID, which is similar to a serial number.
What format (PKCS) is a private certificate, and what file extension does it have?
A private certificate is in P12 format with a .pfx extension.
What format (PKCS) is a public certificate, and what file extension does it have?
A public certificate is in P7B format with a .cer extension.
What format is a PEM certificate?
A PEM certificate is in Base64 format
What type of certificate can be used on multiple servers in the same domain?
A wildcard certificate can be used on multiple servers in the same domain.
What type of certificate can be used on multiple domains?
A Subject Alternative Name (SAN) certificate can be used on multiple domains
What should you do with your software to verify that it is original and not a fake copy?
You would code-sign the software in order to verify that it is the original, and not a copy. This is similar to a digital signature in that it ensures the integrity of the software.