SEC+ Revision Questions Managing a PKI Infrastructure

Question 1

After importing a user certificate file to an e-mail program, a user finds she cannot digitally sign sent e-mail messages. What are some possible reasons for this? (Choose two.)
A. The public key is not in the certificate.
B. The private key is not in the certificate.
C. The certificate was not created for e-mail usage.
D. The PKI is not in the certificate.

Answer 1

B. The private key is not in the certificate.
&
C. The certificate was not created for e-mail usage.

Question 2

Which of the following would not be found in a digital certificate?
A. Public key
B. Private key
C. Digital signature of issuing CA
D. IP address of PKI server

Answer 2

D. IP address of PKI server

Question 3

You are providing consulting services to a legal firm that has a PKI. They would like to enable document workflow where documents are sent electronically to the appropriate employees within the firm. You are asked whether there is a way to prove that documents were sent from the user listed in the From field. Of the following, what would you recommend?
A. File encryption
B. Digital signatures
C. E-mail encryption
D. Certificate revocation list

Answer 3

B. Digital signatures

Question 4

As a security auditor, you are focusing on hardening an existing PKI. Which of the following should you consider? (Choose two.)
A. Take the CA offline.
B. Do not make public keys publicly accessible.
C. Configure a recovery agent.
D. Encrypt all digital certificates.

Answer 4

A. Take the CA offline.
&
C. Configure a recovery agent.

Question 5

Your colleagues report that there is a short time frame where a revoked certificate can still be used. Why is this?
A. The CRL is published periodically.
B. The CRL is published immediately but must replicate to all hosts.
C. The CRL lists only revoked certificate serial numbers; it is not used in any way.
D. The CRL is dependent on network bandwidth.

Answer 5

A. The CRL is published periodically.

Question 6

Which of the following best describes the term key escrow?
A. A trusted third party with decryption keys in case the original keys have expired
B. A trusted third party with decryption keys in addition to existing original keys
C. An account that can be used to encrypt private keys
D. An account that can be used to encrypt data for any user

Answer 6

B. A trusted third party with decryption keys in addition to existing original keys

Question 7

Which PKI component verifies the identity of certificate requestors before a certificate is issued?
A. Public key
B. RA
C. PKI
D. CRL

Answer 7

B. RA

Question 8

A user reports that they are unable to authenticate to the corporate VPN while traveling. You have configured the VPN to require X.509 user certificate authentication. After investigating the problem, you learn that the user certificate has expired. Which of the following presents the quickest secure solution?
A. Create a new user certificate and configure it on the user computer.
B. Disable X.509 certificate authentication for your VPN.
C. Reduce the CRL publishing frequency.
D. Set the date back on the VPN appliance to before the user certificate expired.

Answer 8

A. Create a new user certificate and configure it on the user computer.

Question 9

When users connect to an intranet server by typing https://intranet.acme.local, their web browser displays a warning message stating the site is not to be trusted. How can this warning message be removed while maintaining security?
A. Configure the web server to use HTTP instead of HTTPS.
B. Install the intranet server private key on all client workstations.
C. Use TCP port 443 instead of TCP port 80.
D. Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.

Answer 9

D. Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.

Question 10

An HTTPS-secured web site requires the ability to restrict which workstations can make a connection. Which option is the most secure?
A. Configure the web site to allow connections only from the IP addresses of valid workstations.
B. Configure the web site to allow connections only from the MAC addresses of valid workstations.
C. Configure the web site to use user authentication.
D. Configure the web site to require client-side certificates.

Answer 10

D. Configure the web site to require client-side certificates.

Question 11

Which of the following is untrue regarding certificates containing private keys?
A. They can be used to encrypt mail sent to others.
B. They can be used to encrypt hard disk contents.
C. They should be password protected.
D. They can be used to digitally sign mail sent to others.

Answer 11

A. They can be used to encrypt mail sent to others.

Question 12

For which purpose would a computer digital certificate be used? (Choose the best answer.)
A. Network access control
B. IPSec
C. Both of the above
D. Neither of the above

Answer 12

C. Both of the above

Question 13

You are responsible for enabling SSL on an e-commerce web site. What should you do first?
A. Install the web server digital certificate.
B. Enable SSL on the web server.
C. Create a CSR and submit it to a CA.
D. Configure the web server to use port 443.

Answer 13

C. Create a CSR and submit it to a CA.

Question 14

While generating a certificate signing request for a web site, you enter the information listed here. Users will connect to the web site by typing https://www.acme.com. Identify the configuration error.
Expiry: 12 months
Bit length: 2048
Common Name: 215.66.77.88 Organization: Acme Inc.
OU: Sales Country: US State: TN City: Memphis
A. The expiry date is one year away.
B. The bit length should be 128.
C. The common name should be www.acme.com.
D. The State field must not be abbreviated.

Answer 14

C. The common name should be www.acme.com.

Question 15

A national company with headquarters in Dallas, Texas, is implementing a PKI. There are corporate locations in 12 other major U.S. cities. Each of those locations has a senior network administrator. Which option presents the best PKI solution?
A. Install a root CA in Dallas. Create subordinate CAs for each city and use these to issue certificates for users and computers in that city. Take the root CA offline.
B. Install a root CA in Dallas. Issue certificates for users and computers in all locations.
C. Install a root CA in Dallas. Issue certificates for users and computers in all locations. Take the root CA offline.
D. Install a root CA in Dallas and each city. Issue certificates for users and computers using each city root CA. Take the root CAs offline.

Answer 15

A. Install a root CA in Dallas. Create subordinate CAs for each city and use these to issue certificates for users and computers in that city. Take the root CA offline.

Question 16

A work colleague has sent you a digital certificate file to install on your computer so that you can encrypt e-mail messages to him. What error was made in Figure 13-2 when the file was generated?
A. There should not be a private key password.
B. A private key should never be shared with others.
C. The option Enable Strong Private Key Protection must be enabled.
D. The option Include All Extended Properties must be disabled.

Answer 16

B. A private key should never be shared with others.

Question 17

To secure your server, you would like to ensure server hard disk data cannot be accessed if the hard disks are stolen. What should you do?
A. Configure EFS.
B. Configure TPM with PKI encryption keys.
C. Configure NTFS security.
D. Configure a power-on password.

Answer 17

B. Configure TPM with PKI encryption keys.

Question 18

Which security objectives are met by PKI? (Choose two.)
A. Least privilege
B. Integrity
C. Nonrepudiation
D. DMZ

Answer 18

B. Integrity
&
C. Nonrepudiation

Question 19

Your company, Acme, Inc., conducts business with a supplier, Widgets, Inc. Both companies have an existing PKI with departmental subordinate CAs. Certain Widgets departments require access to specific secured Acme web servers that require client-side certificates before access is granted. What solution should you propose?
A. Acme administrators should create a new root CA for Widgets and issue certificates to those employees needing access to the Acme web server.
B. Acme administrators should create a new subordinate CA for Widgets and issue certificates to those employees needing access to the Acme web server.
C. The Acme web servers should be cross-certified with the appropriate Widgets subordinate CAs.
D. The appropriate Widgets and Acme departmental CAs should be cross-certified.

Answer 19

C. The Acme web servers should be cross-certified with the appropriate Widgets subordinate CAs.

Question 20

Which types of keys are commonly used for e-commerce web sites?
A. Public, private, session
B. Public and private
C. Public, private, TPM
D. Public, private, PKI

Answer 20

A. Public, private, session

Question 21

The CA signature exists in all digital certificates that it issues. Which key does the CA use to create its signature?
A. Private
B. Public
C. Symmetric
D. Asymmetric

Answer 21

A. Private

Question 22

In a PKI, what role does the CA play? (Choose two.)
A. Revokes certificates
B. Uses its private key to digitally sign certificates
C. Uses its public key to digitally sign certificates
D. Controls access to the network using certificates

Answer 22

A. Revokes certificates
&
B. Uses its private key to digitally sign certificates

Question 23

To which does the X.509 standard apply?
A. LDAP
B. PKI certificates
C. Biometric authentication
D. A type of network transport

Answer 23

B. PKI certificates