Chapter 6 PKI

Question 1

What is a PFX/.pfx extension?

Answer 1

or .p12 extension is used to export a certificate along with its private key. The file is password protected and can archive or transport a private key.

Question 2

What is a P7B extension?

Answer 2

extension bundles multiple certificates into a single file. It is used to deliver a chain of certificates that are trusted by the processing host. It does not contain a private key

Question 3

What is a CER?

Answer 3

an actual certificate that contains information about the subject like name and location. It is written in either binary DER or ASCII PEM data.

Question 4

What is a CRT?

Answer 4

is the same as a .cer file extension. It is a basic certificate that contains information about the subject

Question 5

How do public root certificates work?

Answer 5

Allow users to trust a website using the chain of trust to the root authority. Private organizations must load employee web browsers with internal root certificates to verify internal websites

Question 6

What is Domain validation?

Answer 6

proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise

Question 7

What is the typical lifespan of a certificate

Answer 7

10+ years

Question 8

When is a certificate usually renewed

Answer 8

Before it expires

Question 9

What is meant by a certificate being rekeyed

Answer 9

When a new key is generated

Question 10

What is stapling?

Answer 10

Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder

Question 11

How is stapling used in securing privacy with OCSP?

Answer 11

by having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself.

Question 12

What is pinning?

Answer 12

refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate

Question 13

How is Pinning implemented?

Answer 13

By embedding the certificate data in the application code. or by submitting one or more public keys to an HTTP browser via an HTTP header, which is referred to as HTTP Public Key Pinning (HPKP)

Question 14

What is distinguished Encoding Rules (DER)

Answer 14

The binary format used to structure the information in a digital certificate. Like Cryptographic data-both certificates and keys

Question 15

What is ASCII

Answer 15

7-bit code page mapping binary values to character glyphs. Standard ASCII can represent 127 characters, though some values are reserved for non-printing control characters.

Question 16

What is a convention?

Answer 16

A three file character file extension

Question 17

What convention is widely used for ASCII format files in Linux

Answer 17

.PEM

Question 18

What does PKCS #12 format allow you to do?

Answer 18

export of the private key with the certificate.

Question 19

On windows what extension would a PKCS #12 format have?

Answer 19

.PFX

Question 20

What is the command to create a RSA key pair in Linux?

Answer 20

openssl genrsa -aes256 -out cakey.pem 4096

Question 21

What are the steps to configure a Root CA?

Answer 21

1. Setup a directory structure and adapt an OpenSSL config file
2. Create an RSA key pair
3. Use the RSA key pair to generate a self-signed root X.509 digital certificate

Question 22

What are the steps to configure a Certificate Signing Request?

Answer 22

1.Create a CSR with a new key pair
2.Complete the prompts
3.Transmit the CSR file to the CA server
4. On the CA run the command to sign the CSR and output the X.509 certificate
Transmit the .pem file to the web server and update the server config to use it and the private key

Question 23

What do you do when you have a certificate that has been working previously but doesnt work now?

Answer 23

Check that the cert. has not expired or been revoked or suspended

Question 24

If you have a problem with a new cert. What should you do?

Answer 24

Check the key usage settings are appropriate for the app.

Check that the subject name is correctly configured and that the client is using the correct address

Question 25

What do you do when troubleshooting a Cert. that is correctly configured but isnt working

Answer 25

Check the clients have been configured with the appropriate chain of trust.
Verify that the time and data settings are a common cause of cert. problems

Question 26

What is a Digital Certificate

Answer 26

Assertion of identity

Question 27

In Public Key Infrastructure, when you want others to send you confidential messages how do you go about doing that?

Answer 27

You give them your public key to use to encrypt the message.

The message then can only be decrypted by your private key

Question 28

In Public Key Infrastructure When you want to authenticate yourself to others. How do you do it?

Answer 28

You create a signature and sign t by encrypting the signature with your private key.
You give others your public key to use to decrypt the signature.

Question 29

What is certificate chaining or Chain of trust?

Answer 29

When every leaf certificate can be traced back to the root

Question 30

What can find in a Certificate Signing Request?

Answer 30

Info that the subject wants to use in the cert. and its public key

Question 31

What is a Registration Authority (RAs)?

Answer 31

Entities that complete identity checking and submit CSRs on behalf of end-users, but they don’t sign or issue certs.

Question 32

What is a digital certificate?

Answer 32

A wrapper for a subjects public key and also stores info about the subject and the certs issuer or guarantor

Question 33

What is Public Key Cryptography Standards (PKCS)?

Answer 33

Series of standards defining certificate authorities and digital certificates

Question 34

If a new subdomain is added to a cert. Do you need to make a new cert to add the new subdomain?

Answer 34

Yes, unless the Certificate is using a wild card symbol to compensate for all subdomains including new ones

Question 35

What does it mean when an extension is tagged as critical

Answer 35

The application processing the cert. must be able to interpret the extension correctly

Question 36

How does Domain Validation work?

Answer 36

By responding to an email to the authorized domain contact or by publishing a text record to the domain

Question 37

Identification

Answer 37

Creating an accountant od ID that uniquely represents the user, device, or process on the network

Question 38

Authentication

Answer 38

Proving that a subject is who it claims to be when it attempts to access the resource

Question 39

Authorization

Answer 39

Determining what rights subjects should have on each resource, and enforcing those rights

Question 40

Accounting

Answer 40

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

Question 41

Authentication, authorization, and accounting (AAA)

Answer 41

A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Question 42

knowledge factor (logon)

Answer 42

Passwords/PIN something you know in oreder to authenticate yourself

Question 43

What is an ownership factor

Answer 43

Something you have The account holder possesses something that no one else does such as smart cards, fobs, or wristbands programmed with a unique identity cert.

Question 44

What is a Biometric factor / Something you are

Answer 44

Uses either physiological identifiers, such as a fingerprint or behavioral identifiers,

Question 45

Multifactor Authentication (MFA)

Answer 45

An authentication scheme that requires the user to present at least two different factors as credentials

Question 46

Two-Factor Authentification (2FA)

Answer 46

combines either an ownership-based smart card or biometric identifier with something you know