Chapter 12: Planning, Implementing, and Maintaining a Public Key Infrastructure

1.

You are setting up a procedure to keep documents exchanged between members of the R & D department secret. They will be sending these documents across the Internet to each other. Which PKI process will you need to employ to achieve this?

1. Confidentiality

2. Non-repudiation

3. Authentication

4. Data Integrity

1.

A. PKI confidentiality is the encryption of data to keep only those without the proper credentials/authority from accessing the data; therefore, Answer A is correct.

Answer B is incorrect because non-repudiation provides the receiver with a guarantee that the sender cannot deny the origin of the data. Answer C is incorrect because authentication is the act of verifying the identity of the sender. Answer D is incorrect because data integrity guarantees that the data is unchanged from the time the sender sent or saved it.

9.

You are the administrator for a large and very busy network and your bandwidth is nearing its limits. Your users are complaining about the time it takes to access the payroll server to update their hours. All users are required to have certificate authentication to access the server. What can you change in your current setup to help reduce network traffic and speed access to the payroll server?

1. Configure the CA to use complete CRLs for replication.

2. Assign times for each user to update their payroll.

3. Use DES for the encryption method.

4. Configure the CA to use Delta CRLs.

10.

Your department has completed preliminary testing of a newly established PKI, and before actual deployment begins, you’ve been assigned the task of revoking the test certificates. So far, there is only a single enterprise CA installed, and Active Directory is of course in use. Which of the following steps should you take?

1. In the Certification Authority console, expand the Issued Certificates container, and revoke all certificates by right-clicking each certificate and choosing All | Revoke Certificate.

2. In the Certification Authority console, expand the Issued Certificates container, and revoke all certificates by right-clicking each certificate and choosing All | Revoke Certificate. Right-click the Revoked Certificates container, and choose All Tasks | Publish.

3. Using the Certificates snap-in, expand the Personal container, and highlight the Certificates container found beneath. In the right pane of the console, right-click each certificate and choose Add to Certificate Revocation List.

4. Using the Certificates snap-in, expand the Personal container, and highlight the Certificates container found beneath. In the right pane of the console, right-click each certificate and choose Add to Certificate Revocation List. Right-click the Trusted Root Certification Authority, and choose Publish to Directory.

11.

You decide to implement a Windows Server 2003 based-PKI for your network, and because you want the most secure method of issuing and maintaining certificates, you decide to use a stand-alone server to issue a certificate to a subordinate, which in turn issues certificates to users. You take the root CA offline. Your users complain that they are unable to access some resources. After investigating the problem you discover that they can log on to the network and access everything except those resources protected by certificates. They also can connect to the servers by both name and IP address. What is preventing the users from gaining access to those resources?

1. The root CA server is offline.

2. The subordinate CA is offline.

3. The certificates have been compromised.

4. The certificates are still pending.

12.

You have a two-tier hierarchy for your certificate PKI. OurRoot is an enterprise root CA. OurIssuer1 and OurIssuer2 are OurRoot subordinates. These two CAs issue all the certificates for your company. OurIssuer1 issues to the northern region and OurIssuer2 issues to the southern region. An ex-employee appears to have obtained the issuing certificate for OurIssuer2. What steps would you take to prevent users from using certificates issued by the compromised server?

1. Add the compromised certificate to the CRL from OurRoot.

2. Delete all certificates on OurIssuer2 and reissue them.

3. Reinstall certificate services on OurIssuer2.

4. Add all certificates issued by OurRoot to the CRL.

13.

As a member of the PKI design team in your company, you are charged with integrating one of your subsidiaries that already has a PKI with your office’s PKI. The current proposal on the table has a second-tier CA located in your local PKI issuing certificates to a second-tier CA located on the subsidiary’s PKI, and vice-versa. Both infrastructures are Windows Server 2003 based. Your company’s security goals, however, mandate that only certain certificates be used on your PKI if they are issued from the subsidiary’s CA, but all your CA’s certificates need to be trusted by the subsidiary. What is your assessment?

1. Both your office and the subsidiary will need to create a CTL that has a limited trust chain length on your side.

2. The subsidiary’s CA needs to be reconfigured as your CA’s subordinate.

3. A cross-trust needs to be created, and the type of acceptable certificates for your CA narrowed by using qualified subordination policies.

4. This arrangement is not possible under Windows Server 2003. The company needs to implement a third-party PKI.

14.

Your company has a partner with whom you need to communicate securely. You have an existing root CA and need to allow usage for partner-issued certificates as well. In which of the following ways can you accomplish this? Choose all that apply.

1. Create a CTL.

2. Install an issuing CA at the partner’s site.

3. Create a cross-trust hierarchy.

4. Install a partner’s issuing CA at your site.

15.

You are the administrator of an existing three-tier PKI including a stand-alone Root CA, three mid-level CAs, and twelve issuing CAs. You fear that your Root certificate has been compromised. What steps should you take to secure your infrastructure with the least amount of administrative effort?

1. Add the twelve issuing CAs’ certificates to the mid-level CAs’ CRL.

2. Add the three mid-level CAs’ certificates to the Root CA’s CRL.

3. Add the Root CA’s certificate to the three mid-level and twelve issuing CAs’ CRL.

4. Create a new CA hierarchy and issue new certificates to all clients.

9.

D. Delta CRLs replicate only the new revocations to each CRL distribution point. This means a smaller file, hence less network traffic. This allows for more frequent but much smaller data transfers. Therefore, Answer D is correct.

A, B, C. Using complete CRLs is the default setting which means the entire CRL is replicated at the specified interval. If there is no new information the CRL is published regardless. Giving each user a time frame to update might work but the administrative overhead would be tremendous and there would be no guarantee the users would cooperate.

10.

B. Clients only check the CRL, not the CA itself, for valid certificates. A revoked certificate must be distributed to the CRL, and the CRL must then be downloaded by the client, before the certificate is rendered completely invalid. Therefore, Answer B is correct.

Answer A is incorrect because revoking a certificate is not sufficient to render a certificate invalid in a Windows PKI. If the certificate is not published to the CRL, clients will not be aware that the certificate has been revoked. Answer C is incorrect because the Certificates snap-in cannot be used to revoke and publish certificates (there is no such command). In fact, the Certificates snap-in is used on the client machine, generally not the CA. Answer D is similarly incorrect.

11.

D. By default the certificates on a stand-alone CA are issued manually by an administrator. Certificates will be in “pending” status until the administrator issues them; therefore, Answer D is correct.

Answer A is incorrect because the root CA should be taken offline for increased security. Answer B is incorrect because, since the subordinate will be issuing the certificates to users this would not affect the capability to receive or verify a certificate. Answer C is incorrect because you have full connectivity using name and IP address, which verifies your DNS and network address settings and operation and access to the resource would not be affected even if the certificates had been compromised. Adding the compromised certificates to the CRL would be the appropriate action to take in this case.

12.

A. The compromised certificate would be revoked and all certificates issued using that certificate would be revoked as a result. Don’t forget to force a CRL update (Revoked Certificates | All Tasks | Publish in the CA snap-in).

Answer B is incorrect because deleting all certificates and reissuing them would be extremely time consuming (every machine that had a certificate from OurIssuer2 would have to be examined). Reissuing them would provide new certificates, but since the issuing certificate is compromised, this would not prevent anyone from issuing bogus certificates. Answer C is incorrect because reinstalling would not change the validity of current certificates or those issued by a compromised certificate. Answer D is incorrect because revoking all certificates issued by the root CA would also invalidate all the certificates issued by OurIssuer1. This would cause needless problems in the northern region.

13.

C. Windows Server 2003 is capable of using qualified subordination. This new feature enables restrictions to be placed on the level and depth of trust that exists in a cross-trust relationship; therefore, Answer C is correct.

Answer A is incorrect because a Certificate Trust List (CTL) by itself is not capable of limiting the types of acceptable certificates on one partner. Also, the length of the trust chain is not the main concern in this situation. Answer B is incorrect because configuring the subsidiary’s CA to be a subordinate of yours will not change the types of certificates that are trusted. It only changes the number of levels in the hierarchy. Answer D is incorrect because using qualified subordination properly, the situation described can be implemented without having to rely on a third-party company.

14.

A, C. A CTL or cross-trust hierarchy will enable your CA to recognize a certificate issued by a CA that is not a part of your network; therefore, Answers A and C are correct.

Answer B is incorrect because installing an issuing CA at your partner’s site enables them to get a certificate from your hierarchy but doesn’t enable your resources to recognize the partner-issued certificates. Answer D is incorrect because installing a partner’s CA at your location enables you to get certificates for their network but doesn’t enable them to access your PKI.

15.

D. If your Root CA is compromised, all certificates that are in that hierarchy become compromised also. This is the reason that the logical and physical security of the Root is so important in any PKI – the cost of rebuilding after a successful attack on the Root can be enormous. Therefore, Answer D is correct.

Answers A and B are incorrect because all certificate trust hierarchies begin with the Root CA. Revoking either the mid-level or the issuing certificates alone is insufficient in this case. If an issuing CA had been compromised, then adding its certificate to the upstream CA’s CRL would work, and similarly if a mid-level CA had been compromised, then adding its certificate to the Root’s CRL would be reasonable. However, there is no upstream CA to a Root. Answer C is incorrect because you cannot add an upstream, and therefore trusted, certificate to a CRL.

13.

You are attempting to request a certificate by using Internet Explorer, but fail to display the welcome screen of the Web site. You have typed in the address http://mycertauthority/certsrv and you’ve double-checked the name of the CA. Also, you have confirmed with the network administrator that the CA is configured with IIS, and the Web enrollment support option was chosen during the certificate services installation. What is the most likely cause of the problem?

1. The CA is configured as a standalone.

2. IIS was installed after certificate services.

3. The EAP protocol has not been installed.

4. You are using a Windows 2000 Professional client.

14.

The Ecstatic Llama Company wants your consulting firm to implement a two-tier private CA design made specifically for their PKI. Because the plans for ELC call for high security, the root CA will be designated as standalone and offline. Your job is to install an enterprise subordinate CA while maintaining the security needs of your client. What are the two best methods to accomplish this task? Choose two answers.

1. In the Certification Authority console, configure the subordinate to use auto-enrollment and reboot the machine.

2. In the Certification Authority console, point the subordinate to use Active Directory and configure the subordinate to trust the root CA.

3. Put the root CA briefly online and use Web enrollment to obtain the root CA certificate, then take the root CA back offline.

4. Save the subordinate request as a PKCS #10 file, transport the file to the root CA, issue the certificate, and then transport the certificate back to the subordinate.

15.

You are the CA administrator for your branch office and want to have greater control over your certificate managers. Your plan is to have each manager manage certificates over a different Active Directory group, but you do not want to give any manager the capability to renew the CA’s certificate. What is your best course of action?

1. In the Certification Authority snap-in, use the Security tab of the CA’s property sheet to configure manager restrictions.

2. Using the Certificate Templates snap-in, right-click the Certificate Templates container, and choose Properties. On the Security tab, give the Certificate Managers group the Issue and Manage Certificates permission.

3. In the Certification Authority snap-in, use the Certificate Managers Restrictions tab of the CA’s property sheet and choose the Restrict certificate managers option.

4. It cannot be done.

16.

As the network administrator for B & H Day Care Centers, you are attempting to configure a third-tier CA to issue a particular type of certificate. From the Certificate Templates snap-in, you have duplicated an existing template and modified it to B & H’s specifications. However, users are still unable to successfully install the certificate governed by the new template. You have checked the structure of the CA hierarchy and are comfortable that no intentional attacks have taken place. What first step can you take to ensure the proper distribution of the certificate?

1. Launch the Certificate Templates snap-in, right-click the Certificate Templates container, and select New | Certificate Template to Issue. Select the new certificate template.

2. Launch the Certificate Templates snap-in and highlight the Certificate Templates container. In the right pane of the console, right-click the new certificate template, and choose Properties. From the Publish tab, select the Publish to Directory option.

3. From any PKI client’s browser, point to http://servername/certsrv, where servername is the name of the CA that contains the new certificate template. Select the Issue a Certificate Template link.

4. Using an account with appropriate permissions, copy the new certificate template to the root CA’s certificate store. From the root CA, enable the template by using the Certificate Templates snap-in.

13.

B. If IIS is installed after certificate services, even if the Web enrollment support option is chosen, the appropriate virtual directories are not created. To remedy the situation, you can use the command line tool certutil –vroot. Therefore, Answer B is correct.

Answer A is incorrect because as long as the CA is on the network and has IIS installed properly, Web enrollment by clients is possible. Answer C is incorrect because EAP is not necessary when using a browser to request a certificate. EAP is used primarily for smart card authentication. Answer D is incorrect because a Windows 2000 Professional client comes pre-installed with a version of Internet Explorer higher than 5.0, which is the minimum requirement.

14.

C, D. Answer C is correct because any client can use a browser to obtain certificates from a CA, even the root CA. As long as the root CA is online, running IIS, and has Web enrollment support installed, this method will succeed. Answer D is correct because of Windows’ capability to create a file containing a certificate request. PKCS #10 is the standard PKI request form, and after the file is saved to disk, the disk can be physically transported to the root CA. After the root CA generates the certificate, the certificate itself can be transported back to the subordinate.

Answer A is incorrect because auto-enrollment cannot be used to request certificates from a stand-alone CA. Also, the Certification Authority console would not function properly until the subordinate had actually been installed. Answer B is incorrect because there is no direct option to configure the use of Active Directory, and Active Directory cannot be used with a stand-alone machine. Also, there is no option in the Certification Authority console to “trust” another CA. Trust is established by validating other PKI entities’ certificates.

15.

C. The options on the Certificate Managers Restrictions tab enable you to grant or deny each manager’s capability to manage users, groups, and computers. Renewing the CA’s certificate is a capability given only to the CA administrator with Manage CA permission. Therefore, Answer C is correct.

Answer A is incorrect because the Security tab allows only Read, Issue and Manage Certificates, Manage CA, and Request Certificates permissions. In fact, it is the Issue and Manage Certificates permission itself that defines the role of certificate manager. You cannot dictate what groups a manager has control over using this tab. Answer B is incorrect for similar reasons. Also, there is not an Issue and Manage Certificates permission on the Security tab of the Certificate Template container’s property sheet. Answer D is incorrect because using the Certificate Managers Restrictions tab of the CA’s property sheet enables you to properly restrict control.

16.

A. Answer A is the only possible answer. After a template is created by duplicating another template and editing the copy, it will not become available to clients until the template is enabled. Answer A gives the proper way to enable a certificate template.

Answer B is incorrect because a Publish tab does not exist as described. The correct way to enable a certificate is by selecting New | Certificate Template to Issue as in Answer A. Answer C is incorrect because you cannot manage templates using the Web enrollment service. Answer D is incorrect because any CA may issue certificates. In a three-tier hierarchy, the root CA’s only responsibility would be to issue certificates to subordinate CAs.

1.

You have been designated as the enrollment agent for the entire Pants, Inc. organization during the smart card deployment that has just been completed. Your supervisor has now assigned you the project of updating the company’s VPN solution by configuring the current RRAS server to accept smart card remote access. However, when you log on to the server and attempt to configure it, you are unsuccessful. What is the most likely reason for the failure?

1. The Extensible Authentication Protocol (EAP) has not been installed.

2. You are not a member of the Administrators group.

3. The Routing and Remote Access Service does not have the required application certificate.

4. A smart card reader has not been installed on the server.

2.

Your company uses smart card authentication for its local network. You are an administrator and have been directed to install a new domain controller in the main office. You install Windows Server 2003 on the new hardware and begin the dcpromo process. When the install process asks you for authentication, what will you need to supply to finish the promotion?

1. Username and password

2. Smart card and PIN

3. Username and PIN

4. Smart card and password

3.

You are the administrator of a small network, and you have recently assigned yourself as an enrollment agent for your firm’s new smart card system by making sure that you have Read and Enroll permissions on the Smart Card Logon template’s Security tab. However, when you begin testing the implementation, you discover that you are unable to fully complete a request for a certificate on behalf of another user. You are using Internet Explorer on the enrollment station computer. Which of the following, if true, could be reasons for the failure? Choose all that apply.

1. The smart card manufacturer’s CSP has not been installed on the enrollment station.

2. IIS has not been installed on the enrollment station.

3. The Write permission has not been assigned to your account.

4. Neither the Smart Card Logon nor the Smart Card User templates have been enabled on the CA.

5. You logged on to the enrollment station using your administrator account.

1.

B. For security reasons, you must be an administrator to configure the server’s RRAS. Just because you are an enrollment agent does not mean that you are an administrator also. Enrollment agents are simply users who have been granted the appropriate permissions to configure smart cards. Therefore, Answer B is correct.

Answer A is incorrect because EAP is installed as part of the server’s configuration process – it is not required to be installed beforehand. Answer C is incorrect because, although it is true that a machine certificate is required on the server, an application certificate is not. Answer D is incorrect because a smart card reader is required only on the remote client machines. The server does not need a reader to receive authentication requests over the VPN.

2.

A. To promote a server to a domain controller, you must provide Kerberos or NTLM authentication information prior to receiving a certificate from the issuing CA; therefore, Answer A is correct.

Answer B is incorrect because a smart card and PIN are required after the server has been promoted and is operational. Answers C and D are incorrect because a username requires a password and smart cards use PINs as the second part of the two-part authentication process.

3.

A and D. Answer A is correct because many smart card manufacturers use a proprietary CSP, or use one that has not been pre-installed on Windows Server 2003. A smart card cannot be enrolled until an appropriate CSP has been installed on the enrollment station. Answer D is correct because these are the collective templates that a CA uses to issue certificates that have been requested by the enrollment agent. At least one of the templates must be enabled, or the CA will be unable to issue the necessary certificate.

Answer B is incorrect because the enrollment station is only the client requesting the certificate, and therefore only needs to employ a browser. The CA responsible for issuing the certificate must have IIS installed and Web enrollment support enabled. Answer C is incorrect, because only the Read and Enroll permissions are required for an enrollment agent to request certificates for another user. Also, you are an administrator and will already have the needed permission levels assigned to you. Answer E is incorrect for this same reason – the administrator is fully capable of behaving as an enrollment agent.