3.9
To prevent certificate compromise
A root Certificate Authority (CA) and intermediate CAs are fully deployed. The system administrator turns off the root CA server. Why is the root CA powered-down?
Convert to a .pem file.
A security engineer must install a X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate?
Check certificate chain
A system admin installed a new certificate onto a web server. Browsing to the website, the browser shows trust errors. After clicking on the certificate icon, the website's name and information look correct. How would the system administrator troubleshoot further to find a root cause?
Update the SAN
A system admin received a support ticket regarding a website error. Browsing to company.com in Internet Explorer, the site looks safe and trusted. However browsing to payment.company.com, the website is no longer trusted. Knowing a wildcard certificate was installed, how would the admin resolve this error?
Use certificate pinning
An independent penetration company is invited to test the company's new banking application in development for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetrations tests reveal the connections with clients were vulnerable to an On-path attack. How can the company prevent this from happening in the public Internet?
Email to a point of contact
A new business owner recently completed an extended validation process to set up a trusted, valid website for secure public communication. The owner complained about how a domain validation would have been an easier process. Analyze and explain how a domain validation represents an easier solution in this situation.
Machine
Many certificates are used to verify identity. Which type of certificate could be issued to network appliances?
- .P12 - .PFX
There are various formats for encoding a certificate as a digital file for exchange between different systems. One difference is storing both public and private keys versus only storing a public key. Which of the following stores both public and private keys?
To obtain a certificate
What is the purpose of a Certificate Signing Request (CSR)?
PFX
____, .pfx, or .p12 extension allows the export of a certificate along with its private key and is password protected. This is used to archive or transport a private key.
Email certificate
_____ can be used to sign and encrypt email messages, typically using S/MIME or PGP. The user's email address must be entered in the Subject Alternative Name (SAN) extension field.
Code signing
_____ certificate is issued to a software publisher, following some sort of identity check and validation process by the CA.
wildcard certificate
_____ describes a certificate used with multiple sub-domains of a domain. They are represented with an asterisk (*) such as *.google.com.
Domain Validation (DV)
_____ is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.
Key escrow
_____ refers to the archiving of a key (or keys) with a third party. This is a useful solution for organizations that do not have the capability to store keys securely but are able to fully trust the third party.
P7B
_____, or .p7b extension bundles multiple certificates into a single file. It is often used to deliver a chain of certificates that must be trusted by the processing host. It does not contain a private key.
common name (CN)
______ attribute was used to identify the fully qualified domain name (FQDN) of which the server is accessed, such as www.comptia.org. This has been deprecated as a method of validating subject identity.
Root certificate
______ identifies the CA itself.
trust model
______ is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another. This is detailed in a certificate's certification path leading back to the root CA.
HTTP Public Key Pinning (HPKP)
______ is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.
Stapling
______ is a term used with Online Certificate Status Protocol (OCSP) that uses a SSL/TLS web server to make periodic requests from a CA about certificate statuses to reduce resource demands.
Self-signed certificate
______ is created and owned by the individual entity (e.g., machine, web server) that created it, and involves a key pair (public/private).
computer certificate
______ is only installed on a server for which it identifies. Computer certificates are not shared.
Expiration
______ is part of a normal certificate lifecycle. Root certificates might have long expiration dates (10+ years), whereas web server and user certificates might be issued for 1 year only.
CER
______, or .cer, extension is an certificate that can contain either binary Distinguished Encoding Rules (DER) or ASCII PEM data.
Public root certificates
_______ allow for users to trust a public website using a chain of trust to the root authority. Private organizations must load employee web browsers with internal root certificates to verify internal websites.
certification path
_______ also known as "certificate chaining" or a "chain of trust," is a verifiable path of the leaf certificate to the root Certificate Authority (CA). Both web certificates must show the same path.
certificate signing request (CSR)
_______ is a common practice of gathering information about a device to present to a certificate authority (CA) to request a signed certificate.
Subject Alternative Name (SAN)
_______ is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.
Distinguished Encoding Rules (DER)
All certificates use an encoding scheme called ______ to create a binary representation of the information in the certificate.
Reduces management overhead
A Public Key Infrastructure (PKI) can produce many types of certificates with private/public key pairs. In contrast to a self-signed certificate, how does a wildcard certificate benefit an organization?
- Online CA publishes CRL - Online root adds CA
A company has a two-level certificate authority (CA) hierarchy. One of the CA servers is offline, while the others are online. What is the difference and benefit to both power states?
P12
A private key is being exported to transfer to another server. There is no .pfx option. Which of the following certificate extensions can support the transfer of this private key?
1. Root 2. Issuing 3. Intermediate
What are the components of a three-level Certificate Authority (CA) hierarchy?