Questions and Answers

1. 

Which of the following scenarios would use public key encryption to keep a message sent from User A to User B private?

1. User A encrypts a message with User B's public key.

2. User A encrypts a message with User A's public key.

3. User B encrypts a message with User B's private key.

4. User B encrypts a message with User A's public key.

2. 

Which of the following is a feature unique to enterprise CAs?

1. Web enrollment.

2. Certificate autoenrollment.

3. Certificates can be revoked.

4. Certificates can be renewed prior to their expiration date.

1. 

a. In this scenario, only User B's private key could decrypt the message.

2. 

b. Only enterprise CAs can provide certificate autoenrollment.

1. 

Which of the following tasks can be performed on version 1 certificate templates? (Choose all that apply.)

1. Adding a certificate based on the template to a CRL

2. Changing the expiration date of the template

3. Superseding the template with a version 2 template

4. Changing the permissions assigned to the template

2. 

Where in the Active Directory are certificate templates located?

1. CN=Certificate Templates,CN=Public Key Services,CN=Extended-Rights, CN=Configuration,DC=ForestRootNameDN

2. CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootNameDN

3. CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Domain, DC=ForestRootNameDN

4. CN=Certificate Templates,CN=NetServices,CN=Services,CN=Configuration, DC=ForestRootNameDN

1. 

a, c, and d. While most properties of version 1 certificates cannot be modified, you can change permissions. Version 1 certificate templates can be superseded-in fact, that is the only way to make most types of modifications. Additionally, certificates based on version 1 templates can be added to a CRL.

2. 

b. The certificate templates are contained within the CN=Certificate Templates,CN=Public Key Services,CN=Extended-Rights,CN=Configuration, DC=ForestRootNameDN container.

1. 

You are a certificate manager for your company's PKI. You are reviewing enrollment methods and have determined that you will implement three methods for certificate enrollment: Web-based enrollment, MMC enrollment by using the Certificate Request Wizard, and autoenrollment. Under what circumstances must you use Web- based enrollment to perform certificate enrollment? (Choose all that apply.)

1. When enrolling certificates that are issued by an enterprise CA

2. When performing enrollment from computers running Windows 95 or Windows 98

3. When enrolling certificates that are issued by a standalone CA

4. When performing enrollment from computers running Windows 2000

5. When enrolling for certificates that are issued by a CA on computers running Windows 2000

2. 

You are reviewing enrollment methods and have determined that you will implement three methods for certificate enrollment: Web-based enrollment, MMC enrollment by using the Certificate Request Wizard, and autoenrollment. What criteria must you meet if you want a client to use the Certificates console to enroll certificates? (Choose all that apply.)

1. The issuing CA must be an enterprise CA.

2. The computer must be a member of an Active Directory domain.

3. The issuing CA must be a standalone CA.

4. The client computer must be running Microsoft Windows NT 4.0 or later.

5. The client computer must be running Windows 2000 or later.

1. 

b and c. Web-based enrollment is the only certificate enrollment method that is available for computers running Windows 95 or Windows 98. Also, Web-based enrollment is the only way to enroll certificates from a standalone CA.

2. 

a, b, and e. You can run the Certificate Request Wizard only on a computer running Windows 2000, Windows XP, or a Windows Server 2003 family operating system. The computer must be a member of a Windows 2000 domain, and you must request the certificate from an enterprise CA.

1. 

The security policy of your organization requires that you implement role separation to ensure the separation of duties in your PKI management strategy. Your organization decides to implement EFS file encryption to protect high-value documents that are stored on network shares. To protect the EFS-encrypted documents, you plan to archive the EFS encryption private keys on the issuing CA. How does role separation secure the key recovery process in the event of a lost EFS encryption key?

1. Role separation enables the certificate manager to access the PKCS #7 blob in the CA database and enables the KRA to recover the private key.

2. Role separation enables the KRA to access the PKCS #7 blob in the CA database and enables the certificate manager to recover the private key.

3. Role separation enables the local administrator to delegate the key recovery process to non-administrators.

4. Role separation does not add security to the key recovery process.

2. 

You are designated as a certificate manager for the CA that enables private key archival in your CA hierarchy. One of your roles is to determine the KRA for each certificate that has an archived private key. What can you use to determine the KRA for each private key that is archived in the CA database? (Choose all that apply.)

1. Use certutil -recoverkey to determine the KRA.

2. Use certutil -getkey to determine the KRA.

3. Use the Certification Authority MMC console to determine the KRA.

4. Use the Certificate MMC console to determine the KRA.

5. Use the Key Recovery Tool to determine the KRA.

1. 

a. When you implement role separation, a certificate manager must extract the encrypted private key from the CA database and determine which KRAs can recover the private key. The KRA recovers the private key and distributes it to the original user.

2. 

b and e. Use certutil -getkey or the Key Recovery Tool to determine the KRA for an archived private key.

1. 

How will you ensure that users in the Coho Winery research department can send secure e-mail messages?

1. Configure a standalone CA and instruct users to enroll for user certificates by using the Web enrollment tool.

2. Configure an enterprise CA and use a certificate template to automatically issue certificates that support S/MIME to the domain users group.

3. Configure an enterprise CA and use a certificate template to issue certificates that support EFS to the research group.

4. Configure a standalone CA and instruct users to perform advanced certificate requests by using the Web enrollment tool.

2. 

How will you ensure that when users leave the Coho Winery research department they are no longer able to send secure e-mail messages?

1. Configure a Group Policy setting to delete certificates from the local computer when they are revoked.

2. Create a group that has been denied the Read permission on the certificate template that the certificates were based on. Add users to this group when they leave the research department.

3. Place a copy of your certificate revocation list on a public Web server that is accessible by users in Coho Winery.

4. Provide Coho Winery with a copy of each certificate that belongs to a user who has left the research department. Instruct the administrator to place the certificates in the Untrusted Certificates store.

3. 

How will you reconfigure users in the Coho Winery research department when a new requirement for secure e-mail, such as a longer key, is introduced?

1. Create a new template with the new parameters. Configure the new template to supersede the old template.

2. Configure the existing template to contain the longer key length. Configure the template to re-enroll all certificate holders.

3. Create a second template with the new parameters. Deny research users the right to enroll for certificates based on the old template.

4. Revoke all certificates. Instruct users to enroll for new certificates based on a new template with the longer key length.

1. 

b. By using a certificate template that supports secure e-mail (S/MIME) and allowing users to autoenroll for certificates based on the template, you ensure that the required users have a certificate that meets their needs.

2. 

a. To send secure e-mail messages, users must have certificates that support S/MIME on their computers. Even if one of these certificates is revoked, it will remain on the computer unless it is deleted manually. By configuring Group Policy to remove the revoked certificate, the administrator can simply perform the revocation and not worry about manually deleting certificates from client computers.

3. 

b. When certificate requirements change, a certificate template can be modified to include the new requirement. By instructing all users to re-enroll for certificates based on the new template, you ensure that users always have certificates that meet the current requirements.

1. 

What tool can you use to identify the problem?

2. 

What is the source of the problem?

3. 

How will you resolve the problem?

1. 

The first tool you should use is Event Viewer. If you have enabled auditing as described in Lesson 1, Event Viewer will show a failure audit in the Security event log on Computer1 with the description 'Certificate Services denied a certificate request.' That does not help you troubleshoot the problem, but it does verify it. Certificate Services has also added a Warning event to the Application event log. This event provides a more useful description: 'Certificate Services denied request 19 because The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name.'

2. 

The problem is caused by the Subject Name requirements of the User-Archived Key certificate template. To view these requirements, use the Certificate Templates snap-in to view the User- Archived Key security template properties, and then click the Subject Name tab. The default settings, which specify to build the subject name from Active Directory information, are still selected. By default, this includes the user's e-mail address. Because the users created in this chapter do not have e-mail addresses specified, they cannot enroll for the certificate.

3. 

If your organization requires all user accounts to have e-mail addresses, you should resolve the problem by assigning an e-mail address to the account. Otherwise, you should change the Subject Name requirements on the certificate template to remove the dependency on the e-mail address. Specifically, you should clear both the E-Mail Name check box and the Include E-Mail Name In Subject Name check box.