Managing a Public Key Infrastructure

Question 1

Which of the following items are stored within a user PKI certificate? (Choose two.)

Public key

Intermediary CA

CRL

Expiration date

Answer 1

Public key

Expiration date

Among many other items, a PKI certificate contains a public key used for cryptographic purposes such as encryption and verifying digital signatures. Certificates have an expiration date after which the certificate is no longer valid and cannot be used

Question 2

Which component sits at the top of a PKI hierarchy?

Intermediate CA

Root CA

CRL

Answer 2

Root CA

The root CA resides at the top of the PKI hierarchy, followed by issued certificates and registration authorities (RAs), which can issue certificates and subordinate registration authorities if required

Question 3

What is established when a device trusts a pubic CA root certificate?

Certificate revocation

Registration authority

Chain of trust

Answer 3

Chain of trust

The PKI chain of trust is based on digital signatures written to issued certificates by a root or intermediary CA. For example, if a user device trusts RootCA1, then the user device trusts all certificates issued directly or indirectly by RootCA1

Question 4

Users complain that they receive an untrusted web site warning in their web browsers when connecting to a HTTPS-enabled intranet web server, but not when they connect over HTTP. What is the most likely reason this is happening?

Users have not yet authenticated to the web site.

The web site is blocked by a content-filtering firewall.

The web server is using a self-signed certificate.

Answer 4

The web server is using a self-signed certificate.

HTTPS web server connectivity requires a PKI certificate installed on the server; HTTP does not. If the certificate is self-signed, meaning not issued by a trusted third-party issuer, then web browsers will present a security warning to users when they attempt to connect to the site

Question 5

You are a Windows administrator that uses PowerShell scripts to manage Windows devices over the network. Only trusted scripts should run on hosts. What should you configure?

Intermediate CA

Code-signing certificate

Certificate signing request

Answer 5

Code-signing certificate

Script writers and software developers use code-signing certificates to digitally sign scripts or software files using a private key. Devices can be configured to run only trusted scripts or software, meaning that the signature can be verified with the correct public key

Question 6

What should you do to harden your PKI? (Choose two.)

Ensure that public key files are password protected.

Ensure that the root CA is online.

Ensure that the root CA is offline.

Ensure that private key files are password protected.

Answer 6

Ensure that the root CA is offline.

Ensure that private key files are password protected.

If the root CA is compromised, all certificates in the hierarchy are compromised, so it should be kept offline unless it is needed, such as to create a new intermediate CA. While a key pair public key can be shared with anyone, private keys must be available only to the key pair owner, since private keys are used to decrypt messages and create digital signatures

Question 7

Which of the following is never stored with a digital certificate?

Private key

Digital signature of issuing CA

IP address of CA server

Answer 7

IP address of CA server

The IP address of the issuing CA server is not stored in an issued certificate

Question 8

You are providing consulting services to a legal firm that has a PKI. The firm would like to enable document workflow where documents are sent electronically to the appropriate internal employees. You are asked whether there is a way to prove that documents were sent from the user listed in the FROM field. Of the following, what would you recommend?

File encryption

Digital signatures

E-mail encryption

Answer 8

Digital signatures

A digital signature is created from a private key and is used to verify the authenticity and integrity of the message using the related public key

Question 9

Which of the following best describes the term key escrow?

A trusted third party with decryption keys in case the original keys have expired

A trusted third party with copies of decryption keys in addition to existing original keys

An account that can be used to encrypt private keys

Answer 9

A trusted third party with copies of decryption keys in addition to existing original keys

Key escrow places private or secret keys in the possession of a trusted third party for safekeeping

Question 10

Which PKI component verifies the identity of certificate requestors before a certificate is issued?

Public key

RA

Private key

Answer 10

RA

RAs are often referred to as intermediate CAs; they have the ability to accept certificate requests and either issue certificates or validate the request for issuance by another CA

Question 11

A user reports that she is unable to authenticate to the corporate VPN while traveling. You have configured the VPN to require user certificate authentication. After investigating the problem, you learn that the user certificate has expired. Which of the following presents the quickest secure solution?

Create a new user certificate and configure it on the user’s computer.

Disable certificate authentication for your VPN.

Reduce the CRL publishing frequency.

Answer 11

Create a new user certificate and configure it on the user’s computer.

Expired certificates can no longer be used. A new certificate must be issued for the user

Question 12

When users connect to an intranet server by typing https://intranet.corp.local, their web browser displays a warning message stating the site is not to be trusted. How can this warning message be removed while maintaining security?

Configure the web server to use HTTP instead of HTTPS.

Install the intranet server private key on all client workstations.

Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.

Answer 12

Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.

If users’ devices are configured with the correct trusted certificate for the intranet server certificate issuer, then user devices will trust certificates issued by that authority

Question 13

An HTTPS-secured web site requires that you restrict some workstations from making a connection. Which option is the most secure?

Configure the web site to allow connections only from the IP addresses of valid workstations.

Configure the web site to use user authentication.

Configure the web site to require client-side certificates.

Answer 13

Configure the web site to require client-side certificates.

Mutual authentication requires both sides of a secured connection to authenticate with each other. Normally an HTTPS web site secures connections for anybody who has permissions to use the web site. To enhance security further, connecting devices can be required to have an installed and trusted certificate, which enables each party to validate the other’s identity

Question 14

You are responsible for enabling TLS on a newly installed e-commerce web site. What should you do first? (Choose the best answer.)

Install the web server digital certificate.

Enable TLS on the web server.

Create a CSR and submit it to a CA.

Answer 14

Create a CSR and submit it to a CA.

Depending on which tool is used, acquiring a publicly trusted server certificate for an e-commerce site begins with generating a public/private key pair, filling out information such as company name and web server URL, and providing the public key to the CA; this is a certificate signing request (CSR)

Question 15

A large national company with headquarters in Dallas, Texas, is implementing a PKI for thousands of users. There are corporate locations in 12 other major U.S. cities. Each of those locations has a senior network administrator that should retain control of IT for the location’s user base. User devices in all locations must trust all certificates issued within the company. Which option presents the PKI solution that reflects best practices?

Install a root CA in Dallas. Create intermediate CAs for each city, and use these to issue certificates for users and computers in each city. Take the root CA offline.

Install a root CA in Dallas. Issue certificates for users and computers in all locations.

Install a root CA in Dallas. Issue certificates for users and computers in all locations. Take the root CA offline.

Answer 15

Install a root CA in Dallas. Create intermediate CAs for each city, and use these to issue certificates for users and computers in each city. Take the root CA offline.

In larger enterprises, intermediate CAs can be deployed for cities, departments, subsidiary companies, and so on. Intermediate CA technicians then have control of that part of the PKI hierarchy. The root CA should be taken offline to enhance security; a compromised root CA means all certificates in the hierarchy are compromised. A compromised intermediary CA mean only its issued certificates are compromised

Question 16

Which types of keys are all commonly required when connecting via HTTPS to an e-commerce web site?

Public, private, and session

Public and private

Public only

Answer 16

Public, private, and session

An HTTPS-enabled web site requires a PKI certificate containing a public and private key pair. In simple terms, when the client initially connects to the server and negotiates session details, the server sends the client its public key. The client generates a unique session key, which is encrypted with the server’s public key and sent back to the server. The server then uses its private key to decrypt the message and reveal the session key. The session key, or shared secret key, is then used to encrypt transmissions throughout the session

Question 17

Which PKI component does the CA use to digitally sign issued certificates?

Private key

Public key

CRL

Answer 17

Private key

Private keys are used to create digital signatures. In this example, the CA signature allows for the chain of trust, meaning clients that trust the CA will trust any certificates issued by that CA

Question 18

In a PKI, what role does the CA play? (Choose two.)

Revokes certificates

Uses its private key to digitally sign certificates

Uses its public key to digitally sign certificates

Controls access to the network using certificates

Answer 18

Revokes certificates

Uses its private key to digitally sign certificates

CAs digitally sign certificates to establish the chain of trust; they can also revoke certificates, rendering those certificates unusable

Question 19

You are developing Microsoft PowerShell scripts to automate network administration tasks. The .PS1 script files need to be digitally signed and trusted to run on computers in your environment. You have already acquired a code-signing PKI certificate. You need to back up your private key. Which file format should you choose during export? (Choose two.)

DER

PEM

PFX

CER

P12

P7B

Answer 19

PFX

P12

The personal information exchange format (PFX) and P12 file formats (same data, different file extensions) are often used to store private keys and should be password protected

Question 20

Which security technique associates a host with its related public key?

CRL

OSCP

Certificate pinning

Answer 20

Certificate pinning

Pinning is a technique used to associate hosts with their public keys. This can be done by client-side applications, including web browsers, that keep a copy, or a hash, of a host’s public key. This is checked by the client app when server connectivity is initiated

Question 21

Which PKI verification processes can best mitigate the creation of phishing web sites by scammers? (Choose two.)

Extended validation

Domain validation

CRL

OSCP

Answer 21

Extended validation

Domain validation

Certification authorities perform various degrees of verification against CSRs. Domain validation certificates are easy to acquire. CAs require only that you prove DNS domain ownership such as through creating a DNS record in your domain with CA specified values, or through receipt of an e-mail message sent to the DNS domain owner. Before issuing extended validation certificates, CAs perform more tasks to ensure that the organization is genuine, such as by verifying organization details, whether the business is registered, and so on. Both types of certificates provide HTTPS security

Question 22

You need to reduce the amount of network traffic directed at CAs by OSCP clients. What should you configure?

Stapling

CRL

Pinning

Answer 22

Stapling

To reduce the amount of queries sent directly to CAs, OCSP stapling is initiated by a certificate holder to the CA, and the response is cached and then provided to client queries

Question 23

How do client devices trust the TLS certificate used by an HTTPS web server?

Key escrow

Stapling

Certificate chaining

Answer 23

Certificate chaining

The PKI chain of trust, also referred to as certificate chaining, is based on digital signatures written to issued certificates by a root or intermediary CA. For example, if a user device trusts RootCA1, then the user device trusts all certificates issued directly or indirectly by RootCA1

Question 24

Which PKI options can be used check for certificate validity? (Choose two.)

Stapling

CRL

RA

OSCP

Answer 24

CRL

OSCP

A CRL provides expired certificate serial numbers to ensure that expired certificates are not trusted. The OCSP enables verification of the validity of a single certificate instead of an entire list of all expired certificates as CRLs do

Question 25

Which of the following is a valid CA signing algorithm?

SHA 256

AES

DES

Answer 25

SHA 256

SHA 256 bits can be used by CAs to digitally sign certificates they issue, thus establishing a chain of trust

Question 26

Which naming prefix identifies a PKI certificate subject name?

Domain component

Component name

Common name

Answer 26

Common name

The common name property in a certificate identifies the subject, such as a user e-mail address or an FQDN for a web site. An example is CN=user1@corp.com

Question 27

After importing a user certificate file to an e-mail program, a user finds she cannot digitally sign sent e-mail messages. What are some possible reasons for this? (Choose two.)

The certificate was not created for e-mail usage.

The private key is not in the certificate.

The public key is not in the certificate.

The CA signature is not in the certificate.

Answer 27

The certificate was not created for e-mail usage.

The private key is not in the certificate.

User certificates are issued with specific usage constraints, so one possible explanation is that this certificate does not support digitally signing e-mail messages. Or the certificate does not contain the sender’s private key, which is required to create a digital signature