Lesson 6: Implementing Public Key Infrastructure Flashcards
An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.
A. Valid from/to
B. Extended key usage
C. Serial number
D. Public key
B
Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration.
Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key’s life cycle?
A. Storage
B. Verification
C. Expiration and renewal
D. Revocation
B
Verification is not a stage in a key’s life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal.
Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate’s issuer. Which of the following fields would not be included in a standard public certificate?
A. Extensions
B. Public key
C. Endorsement key
D. Subject
C
An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations.
An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key’s life cycle and determine which stage the employee initiates upon learning of the compromise.
A. Certificate generation
B. Key generation
C. Expiration and renewal
D. Revocation
D
Upon learning of a compromise, the current key should be revoked, and a new key can then be generated.
A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and subdomains (to a single level). This certificate is also known as which of the following?
A. SAN certificate
B. Wildcard certificate
C. Root certificate
D. Code signing certificate
B
A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level).
A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?
A. 26 hours
B. 1 hour
C. 23 hours
D. 72 hours
A
One or two hours over the publish period is considered normal thus making 26 hours within the window.
The validity period is the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period, giving a short window to update and keep the CRL authoritative.
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements.
(Select all that apply.)
A. If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued.
B. It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key.
C. If a private key, or secret key, is not backed up, the storage system represents a single point of failure.
D. A compromised private key that encrypts data is of no concern if the same key signs documents.
B, C
A problem with key storage is the difficulty associated with multiple backups of a private key. It is exponentially more difficult to ensure the key is not compromised in this situation.
If a key is not backed up, it represents a single point of failure. Key recovery is a process for backing up keys and/or recovering data encrypted with a lost key.
What is the purpose of a web server certificate?
A. Sign and encrypt email messages.
B. Guarantee the validity of a browser plug-in.
C. Provide identification of the certificate authority.
D. Guarantee the identity of a website.
D
A web server certificate guarantees the identity of the server that provides web services like a website or e-commerce sites. The web server’s public certificate allows users to submit data securely to the web server.
A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.
A. M=1 and N=5
B. M=3 and N=5
C. M=6 and N=5
D. M=0 and N=5
B
A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access.
M is always greater than 1 for this type of configuration making M=1 and N=5 not a valid choice. If only 1 administrator must be present, this configuration would be unnecessary.
M=6 and N=5 is not possible as this configuration is asking for more administrators to be present than is authorized.
The final option of M=0 is not viable because M must always equal more than 1.
A web administrator visits a website after installing its certificate to test the SSL binding. The administrator’s client computer did not trust the website’s certificate. The administrator views the website’s certificate from the browser to determine which certificate authority (CA) generated the certificate. Which certificate field would assist with the troubleshooting process?
A. Subject alternative name
B. Signature algorithm
C. Issuer
D. Subject
C
The Issuer field provides the name of the certificate authority (CA) that generated and issued the certificate for the web server.
An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take.
A. Revoke the keys.
B. Recover the encrypted data.
C. Generate a new key pair.
D. Generate a new certificate.
B
The first step is to recover any data encrypted with the key so the data can be decrypted. Once the data is recovered, the key can be revoked and an administrator can issue a new key pair.
