Public Key Infrastructure Flashcards
What is required to allow the enabling of an HTTPS binding?
A. MFA token
B. PKI certificate
C. The server must be joined to an Active Directory domain
D. A DNSSEC zone
D. DNSSEC zone
Which PKI component issues certificates?
A. Device
B. User
C. CA
D. CRL
C. CA
A Certificate Authority (CA) is responsible for issuing digital certificates. It verifies the identity of the entity requesting the certificate and then issues a certificate that binds a public key to an identity.
You have installed a Windows Private CA, but you do not see the option of working with certificate templates. Why is this?
A. Certificate templates must be managed directly in the file system
B. Your server is not joined to an Active Directory domain
C. Certificate templates are not available for private Cas
D. Your user account does not have sufficient permissions
B. Your server is not joined to an Active Directory domain
Certificate templates are a feature of Active Directory Certificate Services (AD CS). Private CAs, while powerful, do not have the same functionality as AD CS. If your server is not joined to an Active Directory domain, you won’t have access to certificate templates.
You’ll need to use other methods to manage certificate issuance and configuration, such as using PowerShell or other scripting tools to directly interact with the CA.
You must ensure a highly sensitive internal web site uses PKI client authentication. What must be done on the web server? Choose more than one option.
A. The web server must be configured with a private CA-issued certificate
B. The web server must be configured with a public CA-issued certificate
C. Ensure the web server is configured to use HTTPS
D. Enable the option to require client PKI certificates
C. Ensure the web server is configured to use HTTPS: This is essential for secure communication, regardless of whether client certificates are used.
D. Enable the option to require client PKI certificates: This is the core requirement for PKI client authentication. By enabling this option, the web server will require clients to present a valid client certificate for authentication.
By combining HTTPS and PKI client authentication, you can significantly enhance the security of your internal website.
You are managing a Windows 11 device. You would like to view existing computer and user certificates installed on the machine. What should you do?
A. Open the Group Policy editor and view certificate settings
B. Start MMC and add the Certificates snapin
C. Windows 11 does not support PKI certificates
D. Run the Get-FileHash PowerShell cmdlet
B. Start MMC and add the Certificates snapin
This is the most straightforward way to view existing computer and user certificates on a Windows 11 device. By adding the Certificates snapin to MMC, you can explore the certificate store and view detailed information about each certificate.
Which PKI solutions allow for preventing the use of untrusted certificates? Choose more than one option.
A. CRL
B. OCSP
C. Chain of trust
D. CA
A. CRL (Certificate Revocation List) is a list of revoked certificates. By checking the CRL, a system can determine if a certificate is still valid or has been revoked.
B. OCSP (Online Certificate Status Protocol) is a protocol that allows real-time verification of certificate status. It queries a designated OCSP responder to determine if a certificate is valid or revoked.
What must be done for internal clients to trust private CA-issued certificates?
A. Each client device must have a smartcard reader
B. Install the private CA trusted root certificate on each client device
C. The computers must be joined to an Active Directory domain
D. The private CA software must be installed on each client device
B. Install the private CA trusted root certificate on each client device
To trust certificates issued by a private CA, client devices must have the CA’s root certificate installed in their trusted root certificate store. This allows the devices to verify the authenticity of certificates signed by the CA.
