| Question 1 |  | What are the two certificate encodings that are available when downloading an identity certificate? (Choose two.) |
A. PEM Base 64 B. PKCS#10 C. DER RAW Binary D. PKCS#7
|
| A1: | A and C are correct. DER binary and PEM base 64 binary are two supported encodings that the concentrator supports for identity certificates. B is wrong because PKCS#10 is a certificate request message syntax, and D is wrong because PKCS#7 is a certificate envelope message syntax. |
| Question 2 | Which is an emerging standard format for digital certificates? A. X.25 B. X.121 C. X.509 D. X.10
|
| A2: | Answer C is correct. The most prevalent digital certificate format used today is the x.509 format. Cisco products support version 1, 2, and 3 of these formats. Answers A, C, and D are incorrect because they are not formats for digital certificates. |
| Question 3 | What devices might you find in an hierarchical certificate authority PKI? (Choose all that apply.) |
| A3: | Answers A, B, and F are correct. A tiered or hierarchical PKI comprises the root CA server, subordinate CAs, and sometimes registration authorities. Answers C, D, and E are incorrect because these are not actual devices that you will encounter in a PKI. |
| Question 4 | How many subordinate CAs are typically in a central or flat CA design? A. Zero B. One C. Two D. Three
|
| A4: | Answer A is correct. A central or flat CA design has only a root server. There are not any subordinate CAs in a central design. Answers B, C, and D are incorrect because multiple CAs are characteristic of a tiered or hierarchical CA infrastructure. |
| Question 5 | Which two concentrator parameters must be modified after certificates are loaded into the concentrator? (Choose two.) |
| A5: | Answers A and D are the correct answers. You must first change the IKE negotiation to involve RSA or DSA certificates, then apply that IKE proposal to the IPSec SA and choose which digital certificate is to be used for that proposal. Answer B is incorrect because certificates do not have keepalive timers. They contain validity dates, which are matched against the system's internal clock. Answer C is incorrect because the certificate strength (bit-length) is chosen when you generate the request for an identity certificate to a CA. This is not changed after the certificates are loaded onto the concentrator. |
| Question 6 | In what order should certificates be installed on the concentrator? A. Root, then preshared key B. Root, then identity certificates C. Identity certificate, then root D. It does not matter in which order they are installed
|
| A6: | Answer B is correct. The root (and subordinate) certificate must be installed first so the public key of the root CA can validate the identity certificate. Answer A is incorrect because the preshared key is not installed when utilizing digital certificates for authentication. Answer C is incorrect because the concentrator would have no means to authenticate the digital signature of the identity certificate because the root's public key is contained in the root certificate. Answer D is incorrect because the order in which they are installed is definitely important. The root certificate must be installed first so that its public key can be used to validate the identity certificate. |
| Question 7 | Which field in a certificate must coincide with a group name on an authenticating concentrator? |
| A7: | Answer C is correct. The organization unit is the field that concentrators utilize to associate an IPSec peer to a group. Answers A and D are actual fields in a digital certificate; however, the VPN 3000 Concentrator utilizes the Organization Unit (OU) field by default to associate authenticating devices to a group. Answer B is incorrect because the Group field does not exist. |
| Question 8 | Which two protocols can the VPN 3000 Concentrator utilize to retrieve CRLs for certificate validation? (Choose two.) A. LDAP B. TFTP C. HTTP D. FTP
|
| A8: | Answers A and C are correct. If enabled, the VPN 3000 Concentrator can utilize either LDAP or HTTP to retrieve a CRL to verify that a certificate has been revoked. Answers B and D are incorrect because TFTP and FTP are not used to retrieve CRL lists from distribution points. |
| Question 9 | When using digital certificates, the majority of client connections are failing. What is the most likely cause of these failures? A. All clients are on the CRL list. B. Your system clock is not set properly. C. You accidentally turned of SCEP protocol. D. The client's preshared keys do not match your preshared key.
|
| A9: | Answer B is correct. If the concentrator's clock is improperly configured, connecting clients' certificates may appear invalid because the date of the concentrator falls outside of the validity dates of the certificates. Answer A is a viable answer; however, it is unlikely that all clients have been revoked. C is incorrect because the SCEP protocol is used only for enrolling with a CA, not validating certificates. D is incorrect because digital certificates do not use preshared keys. |
| Question 10 | Which of the following are possible reasons to revoke a digital certificate? (Choose all that apply.) A. Organization change B. Name change C. Computer change D. Security compromise
|
| A10: | Answers A, B, and D are correct. Organization changes, service removals, name changes, or security compromises are all valid reasons to revoke a digital certificate. Answer C is incorrect because a computer change does not have to entail a certificate revocation. A certificate can be exported and moved to different devices. |
