public key infrastructure

Question 1

A _____ is a trusted entity that issues digital certificates, which are data files used to cryptographically link an entity with a public key.

Answer 1

certificate authority (CA)

Question 2

An _____ can be used to sign and encrypt email messages, typically using S/MIME or PGP. The user’s email address must be entered in the Subject Alternative Name (SAN) extension field

Answer 2

email certificate

Question 3

A _____ is issued to a software publisher, following some sort of identity check and validation process by the CA.

Answer 3

code signing certificate

Question 4

_____ may be issued to network appliances, such as routers, switches, and firewalls.

Answer 4

Machine certificates

Question 5

What are the components of a three-level Certificate Authority (CA) hierarchy?

Answer 5

Root, Intermediate, and Issuing

Question 6

A ______ describes a certificate used with multiple sub-domains of a domain. They are represented with an asterisk (*) such as *.google.com.

Answer 6

wildcard certificate

Question 7

_____ is an extension field on a web server certificate and supports the identification of the server by multiple subdomain labels.

Answer 7

Subject Alternative Name (SAN)

Question 8

______ allow for users to trust a public website using a chain of trust to the root authority.

Answer 8

Public root certificates

Question 9

A DER-encoded binary file can be represented as ASCII characters using Base64 ______ encoding. ___ files support other extensions like .key, .cer, and .cert.

Answer 9

Privacy-enhanced Electronic Mail (PEM)

Question 10

All certificates use an encoding scheme called _____ to create a binary representation of the information in the certificate. It does not use a Base64 encoding.

Answer 10

Distinguished Encoding Rules (DER)

Question 11

The ____ format allows the export of a certificate along with its private key. This would be used to archive or transport a private key.

Answer 11

.pfx

Question 12

The ___ file is a password-protected container format that possibly contains private/public key pairs.

Answer 12

.p12

Question 13

The ___ format is a means of bundling multiple certificates in the same file, often often used to deliver a chain of certificates. ___ files do not contain the private key.

Answer 13

P7B

Question 14

_____ involve wide needs, such as standard users, administrators, smart card login/users, recovery agent users, and Exchange mail users

Answer 14

User certificates

Question 15

_____ is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.

Answer 15

Domain Validation (DV)

Question 16

_____ is a process requiring more rigorous checks on the subject’s legal identity and control over the domain or software being signed.

Answer 16

Extended Validation (EV)

Question 17

A _____ is a server assigned the task of completing an identity check and submitting Certificate Signing Requests (CSRs) on behalf of end users

Answer 17

registration authority

Question 18

_____ refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application.

Answer 18

Certificate Pinning

Question 19

_____ refers to the archiving of a key (or keys) with a third party.

Answer 19

Key escrow

Question 20

A _____ must be completed by a subject who wants to obtain a certificate from a Certificate Authority (CA).

Answer 20

Certificate Signing Request (CSR)

The CSR is a Base64 ASCII file containing information about the requester including its public key.

Question 21

A _____ is a list of certificates that were revoked before their expiration date.

Answer 21

Certificate Revocation List (CRL)

Question 22

______ is a service that runs on an issuing Certificate Authority (CA) designated as an ____ responder to communicate the status of requested certificates, rather than returning a CRL.

Answer 22

Online Certificate Status Protocol (OCSP)

Question 23

The _____ is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another.

Answer 23

trust model

Question 24

______ is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.

Answer 24

HTTP Public Key Pinning (HPKP)