PKI Concepts

Question 1

Certificate Hierarchy

Answer 1

is the ultimate authority as it holds the master key, also
known as the root key, for signing all of the certificates that it gives to the Intermediary
who issues the certificate to the requester

Question 2

Online CA

Answer 2

An internal online CA is always up and running so that people in the
company can request a certificate at any time of the day or night. This would not be
the case in a government or top-security environment.

Question 3

Offline CA

Answer 3

An offline CA is for a military or secure environment where clearance
and vetting must be completed before someone can be issued with a certificate. The
CA is kept offline and locked up when it is not being used. It is switched off so that
it cannot issue new certificates.

Question 4

Public CA

Answer 4

also known as a third-party CA and is commercially

accepted as an authority for issuing public certificates.

Question 5

Certificate Revocation List (CRL)

Answer 5

This is the first stage in checking whether a
certificate is valid. If the certificate is not valid, it will be entered into the CRL. If the
X509 is in the CRL, it is no longer valid and will not be accepted. No matter how
obscure the question posed in the exam, unless it is going slow or you are looking
for a faster lookup, it will be the CRL that provides certificate validity. No matter the
scenario, the CRL, is the default.

Question 6

Certificate Pinning TIP

Answer 6

Certificate pinning prevents the compromising of the CA

and the issuing of fraudulent X509 certificates. It prevents SSL man-in-themiddle attacks.

Question 7

Trust Anchor

Answer 7

A trust anchor in a PKI environment is the root certificate from
which the whole chain of trust is derived; this is the root CA

Question 8

Trust Model

Answer 8

A trust model proves the authenticity of a certificate; there are two
trust models

Question 9

Hierarchical Trust Model

Answer 9

This uses a hierarchy from the root CA down to the

intermediary (also known as a subordinate); this is the normal PKI model

Question 10

Bridge Trust Model

Answer 10

The bridge trust model is peer-to-peer, where two separate
PKI environments trust each other. The certificate authorities communicate with
each other, allowing for cross-certification

Question 11

Certificate Chaining TIP

Answer 11

This chain of trust is used to verify who the Certificate
Authority is. The chain normally has three layers, the certificate vendor, the vendor’s
CA, and the computer where the certificate is installed

Question 12

Online Certificate Status Protocol (OCSP)

Answer 12

Only when the CRL is going slow will
the OCSP come into play. It is much faster than the CRL and can take a load from
the CRL in a very busy environment.

Question 13

Tip

Answer 13

Certificate validity can only be done by the CRL or OCSP. The CRL is the
default, the OCSP is used when you are looking for a faster validation.

Question 14

OCSP Stapling/Certificate Stapling

Answer 14

Certificate stapling, also known as OCSP
stapling, is used when a web server bypasses the CRL to use the OCSP for faster
certificate validation

Question 15

Certificate Signing Request (CSR):

Answer 15

This is the process of requesting a

new certificate.

Question 16

Key Escrow

Answer 16

The key escrow holds the private keys for third parties and stores them
in a Hardware Security Module (HSM), a device that can store digital keys

Question 17

Hardware Security Module (HSM)

Answer 17

The HSM can be a piece of hardware attached
to the server or a portable device that is attached to store the keys. See the preceding
diagram for more on this.

Question 18

Data Recovery Agent (DRA)

Answer 18

If a user cannot access their data because their
private key is corrupted, the DRA will recover the data. The DRA needs to get a
copy of the private key from the key escrow.

Question 19

Certificates

Answer 19

There are two main certificate types: the public key and the private
key. The public key is sent to third parties to encrypt the data, and the private
key decrypts the data. If you think of the private key as your bank card, that’s a
thing you wouldn’t give away. The public key is the deposit slip that is tied to your
account. If you were in a room with 20 people who wanted to pay $20 into your
account, you would give them your deposit slip. You will always give your public
key away because when people are sending you encrypted data, they are using
your public key to encrypt. You will always use the recipient’s public key to encrypt
the data.

Question 20

TIP

Answer 20

The Data Recovery Agent (DRA) needs a private key from the key escrow to
recover data

Question 21

Object Identifier (OID)

Answer 21

The OID on a certificate is similar to a serial number
on a banknote. Banknotes are identified by their serial number. The certificate is
identified by its OID.

Question 22

Certificate Formats

Answer 22

Certificate type Format File Extension
Private P12 .pfx
Public P7B .cer
PREM Base64 format .pem
DER Extension for PEM .der

Question 23

Self-Signed Certificate

Answer 23

A self-signed certificate is issued by the same entity that is
using it. However, it does not have a CRL and cannot be validated or trusted. It is
the cheapest form of internal certificates and can be placed on multiple servers.

Question 24

Wildcard

Answer 24

For a wildcard certificate for a domain called securityplus.
training, the wildcard certification would be *.securityplus.training
and could be used for the domain and a subdomain. For example, in the
securityplus.training domain, there are two servers called web and mail.
The wildcard certification is *.securityplus.training and, when installed,
it would work for the Fully Qualified Domain Names (FQDNs) of both of these—
web.securityplus.training and mail.securityplus.training. A
wildcard can be used for multiple servers in the same domain. If you want to use
one certificate, for example, on public-facing web servers then the wildcard is the
cheapest option

Question 25

Domain Validation

Answer 25

certificate is an X.509 certificate

that proves the ownership of a domain name.

Question 26

Subject Alternative Name (SAN)

Answer 26

An SAN certificate can be used on multiple
domain names, such as abc.com or xyz.com. You can also insert other
information into a SAN certificate, such as an IP address.

Question 27

Code Signing

Answer 27

Code-signing certificates are used to digitally sign software so that
its authenticity is guaranteed.

Question 28

Computer/Machine

Answer 28

A computer or machine certificate is used to identify a

computer within a domain.

Question 29

User

Answer 29

A user certificate provides authenticity to a user for the applications that
they use

Question 30

Extended Validation

Answer 30

Extended validation certificates provide a higher level of trust
in identifying the entity that is using the certificate. It would normally be used in the
financial arena

Question 31

TIP

Answer 31

A wildcard certificate can be installed on multiple public-facing websites as
a cheaper option. A self-signed certificate can be installed on internal-facing
websites as a cheaper option.