CompTIA Sec+ Sy0-601 Chapter 13
In a PKI, what role does the CA play? (Choose two.) A. Revokes certificates B. Uses its private key to digitally sign certificates C. Uses its public key to digitally sign certificates D. Controls access to the network using certificates
A and B. CAs digitally sign certificates to establish the chain of trust, they can also revoke certificates, rendering those certificates unusable.
Which PKI verification processes can best mitigate the creation of phishing web sites by scammers? (Choose two.) A. Extended validation B. Domain validation C. CRL D. OSCP
A and B. Certification authorities perform various degrees of verification against CSRs. Domain validation certificates are easy to acquire. CAs require only that you prove DNS domain ownership such as through creating a DNS record in your domain with CA specified values, or through receipt of an e-mail message sent to the DNS domain owner. Before issuing extended validation certificates, CAs perform more tasks to ensure that the organization is genuine, such as by verifying organization details, whether the business is registered, and so on. Both types of certificates provide HTTPS security.
After importing a user certificate file to an e-mail program, a user finds she cannot digitally sign sent e-mail messages. What are some possible reasons for this? (Choose two.) A. The certificate was not created for e-mail usage. B. The private key is not in the certificate. C. The public key is not in the certificate. D. The CA signature is not in the certificate.
A and B. User certificates are issued with specific usage constraints, so one possible explanation is that this certificate does not support digitally signing e-mail messages. Or the certificate does not contain the sender's private key, which is required to create a digital signature.
Which of the following items are stored within a user PKI certificate? (Choose two.) A. Public key B. Intermediary CA C. CRL D. Expiration date
A and D. Among many other items, a PKI certificate contains a public key used for cryptographic purposes such as encryption and verifying digital signatures. Certificates have an expiration date after which the certificate is no longer valid and cannot be used.
Which types of keys are all commonly required when connecting via HTTPS to an e-commerce web site? A. Public, private, and session B. Public and private C. Public only D. Private only
A. An HTTPS-enabled web site requires a PKI certificate containing a public and private key pair. In simple terms, when the client initially connects to the server and negotiates session details, the server sends the client its public key. The client generates a unique session key, which is encrypted with the server's public key and sent back to the server. The server then uses its private key to decrypt the message and reveal the session key. The session key, or shared secret key, is then used to encrypt transmissions throughout the session.
A user reports that she is unable to authenticate to the corporate VPN while traveling. You have configured the VPN to require user certificate authentication. After investigating the problem, you learn that the user certificate has expired. Which of the following presents the quickest secure solution? A. Create a new user certificate and configure it on the user's computer. B. Disable certificate authentication for your VPN. C. Reduce the CRL publishing frequency. D. Set the date back on the VPN appliance to before the user certificate expired.
A. Expired certificates can no longer be used. A new certificate must be issued for the user.
A large national company with headquarters in Dallas, Texas, is implementing a PKI for thousands of users. There are corporate locations in 12 other major U.S. cities. Each of those locations has a senior network administrator that should retain control of IT for the location's user base. User devices in all locations must trust all certificates issued within the company. Which option presents the PKI solution that reflects best practices? A. Install a root CA in Dallas. Create intermediate CAs for each city, and use these to issue certificates for users and computers in each city. Take the root CA offline. B. Install a root CA in Dallas. Issue certificates for users and computers in all locations. C. Install a root CA in Dallas. Issue certificates for users and computers in all locations. Take the root CA offline. D. Install a root CA in Dallas and each city. Issue certificates for users and computers using each city root CA. Take the root CAs offline.
A. In larger enterprises, intermediate CAs can be deployed for cities, departments, subsidiary companies, and so on. Intermediate CA technicians then have control of that part of the PKI hierarchy. The root CA should be taken offline to enhance security a compromised root CA means all certificates in the hierarchy are compromised. A compromised intermediary CA mean only its issued certificates are compromised.
Which PKI component does the CA use to digitally sign issued certificates? A. Private key B. Public key C. CRL D. OCSP
A. Private keys are used to create digital signatures. In this example, the CA signature allows for the chain of trust, meaning clients that trust the CA will trust any certificates issued by that CA.
Which of the following is a valid CA signing algorithm? A. SHA 256 B. AES C. DES D. IKE
A. SHA 256 bits can be used by CAs to digitally sign certificates they issue, thus establishing a chain of trust.
Which PKI options can be used check for certificate validity? (Choose two.) A. Stapling B. CRL C. RA D. OSCP
B and D. A CRL provides expired certificate serial numbers to ensure that expired certificates are not trusted. The OCSP enables verification of the validity of a single certificate instead of an entire list of all expired certificates as CRLs do.
You are providing consulting services to a legal firm that has a PKI. The firm would like to enable document workflow where documents are sent electronically to the appropriate internal employees. You are asked whether there is a way to prove that documents were sent from the user listed in the FROM field. Of the following, what would you recommend? A. File encryption B. Digital signatures C. E-mail encryption D. Certificate revocation list
B. A digital signature is created from a private key and is used to verify the authenticity and integrity of the message using the related public key.
Which of the following best describes the term key escrow? A. A trusted third party with decryption keys in case the original keys have expired B. A trusted third party with copies of decryption keys in addition to existing original keys C. An account that can be used to encrypt private keys D. An account that can be used to encrypt data for any user
B. Key escrow places private or secret keys in the possession of a trusted third party for safekeeping.
Which PKI component verifies the identity of certificate requestors before a certificate is issued? A. Public key B. RA C. Private key D. CRL
B. RAs are often referred to as intermediate CAs, they have the ability to accept certificate requests and either issue certificates or validate the request for issuance by another CA.
You are a Windows administrator that uses PowerShell scripts to manage Windows devices over the network. Only trusted scripts should run on hosts. What should you configure? A. Intermediate CA B. Code-signing certificate C. Certificate signing request D. Registration authority
B. Script writers and software developers use code-signing certificates to digitally sign scripts or software files using a private key. Devices can be configured to run only trusted scripts or software, meaning that the signature can be verified with the correct public key.
Which component sits at the top of a PKI hierarchy? A. Intermediate CA B. Root CA C. CRL D. Device certificate
B. The root CA resides at the top of the PKI hierarchy, followed by issued certificates and registration authorities (RAs), which can issue certificates and subordinate registration authorities if required.
You need to reduce the amount of network traffic directed at CAs by OSCP clients. What should you configure? A. CSR B. Stapling C. CRL D. Pinning
B. To reduce the amount of queries sent directly to CAs, OCSP stapling is initiated by a certificate holder to the CA, and the response is cached and then provided to client queries.
What should you do to harden your PKI? (Choose two.) A. Ensure that public key files are password protected. B. Ensure that the root CA is online. C. Ensure that the root CA is offline. D. Ensure that private key files are password protected.
C and D. If the root CA is compromised, all certificates in the hierarchy are compromised, so it should be kept offline unless it is needed, such as to create a new intermediate CA. While a key pair public key can be shared with anyone, private keys must be available only to the key pair owner, since private keys are used to decrypt messages and create digital signatures.
You are developing Microsoft PowerShell scripts to automate network administration tasks. The .PS1 script files need to be digitally signed and trusted to run on computers in your environment. You have already acquired a code-signing PKI certificate. You need to back up your private key. Which file format should you choose during export? (Choose two.) A. DER B. PEM C. PFX D. CER E. P12 F. P7B
C and E. The personal information exchange format (PFX) and P12 file formats (same data, different file extensions) are often used to store private keys and should be password protected.
Your web server hosts the www.corp.com and info.corp.com DNS names. Both sites require HTTPS. Which configuration meets the stated requirement while requiring the least amount of administrative effort? A. Install two certificates, one for each DNS name. B. Install a certificate revocation list on the web server host. C. Install a subject alternative name certificate on the web server host. D. Configure IPSec for the web server host.
C. A subject alternative name (SAN) certificate enables you use one certificate to secure hosts with different names, such as www.corp.com and info.corp.com.
You are responsible for enabling TLS on a newly installed e-commerce web site. What should you do first? (Choose the best answer.) A. Install the web server digital certificate. B. Enable TLS on the web server. C. Create a CSR and submit it to a CA. D. Configure HTTPS on the web server to use port 443.
C. Depending on which tool is used, acquiring a publicly trusted server certificate for an e-commerce site begins with generating a public/private key pair, filling out information such as company name and web server URL, and providing the public key to the CA this is a certificate signing request (CSR).
Users complain that they receive an untrusted web site warning in their web browsers when connecting to a HTTPS-enabled intranet web server, but not when they connect over HTTP. What is the most likely reason this is happening? A. Users have not yet authenticated to the web site. B. The web site is blocked by a content-filtering firewall. C. The web server is using a self-signed certificate. D. User devices do not have a client certificate installed.
C. HTTPS web server connectivity requires a PKI certificate installed on the server, HTTP does not. If the certificate is self-signed, meaning not issued by a trusted third-party issuer, then web browsers will present a security warning to users when they attempt to connect to the site.
Which security technique associates a host with its related public key? A. CRL B. OSCP C. Certificate pinning D. FQDN
C. Pinning is a technique used to associate hosts with their public keys. This can be done by client-side applications, including web browsers, that keep a copy, or a hash, of a host's public key. This is checked by the client app when server connectivity is initiated.
While generating a CSR for a web site, you enter the information listed here. Users will connect to the web site by typing https://www.corp.com. Identify the configuration error. Expires: Wednesday, 4 August 2021 at 11:04:38 Eastern Bit length: 2048 Common Name: 10.10.10.10 Organization: Corp Inc. OU: Sales Country: US State: TN City: Memphis A. The expiry date is less than a year away. B. The bit length should be 128. C. The common name should be www.corp.com. D. The State field must not be abbreviated.
C. The common name in the CSR must match the organization's URL, in this case, the URL that will be used for HTTPS connections to https://www.corp.com. If the common name in the certificate does not match the URL users are connecting to, they will receive a warning that the certificate does not match the site.
Which naming prefix identifies a PKI certificate subject name? A. Domain component B. Component name C. Common name D. DNS component
C. The common name property in a certificate identifies the subject, such as a user e-mail address or an FQDN for a web site. An example is [email protected].
When users connect to an intranet server by typing https://intranet.corp.local, their web browser displays a warning message stating the site is not to be trusted. How can this warning message be removed while maintaining security? A. Configure the web server to use HTTP instead of HTTPS. B. Install the intranet server private key on all client workstations. C. Use TCP port 443 instead of TCP port 80. D. Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.
D. If users' devices are configured with the correct trusted certificate for the intranet server certificate issuer, then user devices will trust certificates issued by that authority.
An HTTPS-secured web site requires that you restrict some workstations from making a connection. Which option is the most secure? A. Configure the web site to allow connections only from the IP addresses of valid workstations. B. Configure the web site to allow connections only from the MAC addresses of valid workstations. C. Configure the web site to use user authentication. D. Configure the web site to require client-side certificates.
D. Mutual authentication requires both sides of a secured connection to authenticate with each other. Normally an HTTPS web site secures connections for anybody who has permissions to use the web site. To enhance security further, connecting devices can be required to have an installed and trusted certificate, which enables each party to validate the other's identity.
Which of the following is never stored with a digital certificate? A. Public key B. Private key C. Digital signature of issuing CA D. IP address of CA server
D. The IP address of the issuing CA server is not stored in an issued certificate.
What is established when a device trusts a pubic CA root certificate? A. Certificate revocation B. Registration authority C. Certification authority D. Chain of trust
D. The PKI chain of trust is based on digital signatures written to issued certificates by a root or intermediary CA. For example, if a user device trusts RootCA1, then the user device trusts all certificates issued directly or indirectly by RootCA1.
How do client devices trust the TLS certificate used by an HTTPS web server? A. Key escrow B. Stapling C. Pinning D. Certificate chaining
D. The PKI chain of trust, also referred to as certificate chaining, is based on digital signatures written to issued certificates by a root or intermediary CA. For example, if a user device trusts RootCA1, then the user device trusts all certificates issued directly or indirectly by RootCA1.
Your company has registered DNS domains such as corp.com and info.corp.com. You need to ensure that web servers for these DNS domains use secured HTTPS, and you must also ensure that future subdomains of corp.com are supported for HTTPS with the least amount of administrative effort. What should you deploy? A. A certificate for each current and future web site B. RA C. SAN certificate D. Wildcard certificate
D. Wildcard certificates are similar to SAN certificates in that a single certificate can be used to secure multiple DNS domain names, such as www.corp.com and info.corp.com.