| < Day Day Up > |
|
Page
7-17
1. | Which of the following scenarios would use public key encryption to keep a message sent from User A to User B private?
|
|
2. | Which of the following is a feature unique to enterprise CAs?
|
|
Answers
1. | a. In this scenario, only User B's private key could decrypt the message. |
2. | b. Only enterprise CAs can provide certificate autoenrollment. |
Page
7-29
1. | Which of the following tasks can be performed on version 1 certificate templates? (Choose all that apply.)
|
|
2. | Where in the Active Directory are certificate templates located?
|
|
Answers
1. | a, c, and d. While most properties of version 1 certificates cannot be modified, you can change permissions. Version 1 certificate templates can be superseded-in fact, that is the only way to make most types of modifications. Additionally, certificates based on version 1 templates can be added to a CRL. |
2. | b. The certificate templates are contained within the CN=Certificate Templates,CN=Public Key Services,CN=Extended-Rights,CN=Configuration, DC=ForestRootNameDN container. |
Page
7-44
1. | You are a certificate manager for your company's PKI. You are reviewing enrollment methods and have determined that you will implement three methods for certificate enrollment: Web-based enrollment, MMC enrollment by using the Certificate Request Wizard, and autoenrollment. Under what circumstances must you use Web- based enrollment to perform certificate enrollment? (Choose all that apply.)
|
|
2. | You are reviewing enrollment methods and have determined that you will implement three methods for certificate enrollment: Web-based enrollment, MMC enrollment by using the Certificate Request Wizard, and autoenrollment. What criteria must you meet if you want a client to use the Certificates console to enroll certificates? (Choose all that apply.)
|
|
Answers
1. | b and c. Web-based enrollment is the only certificate enrollment method that is available for computers running Windows 95 or Windows 98. Also, Web-based enrollment is the only way to enroll certificates from a standalone CA. |
2. | a, b, and e. You can run the Certificate Request Wizard only on a computer running Windows 2000, Windows XP, or a Windows Server 2003 family operating system. The computer must be a member of a Windows 2000 domain, and you must request the certificate from an enterprise CA. |
Page
7-58
1. | The security policy of your organization requires that you implement role separation to ensure the separation of duties in your PKI management strategy. Your organization decides to implement EFS file encryption to protect high-value documents that are stored on network shares. To protect the EFS-encrypted documents, you plan to archive the EFS encryption private keys on the issuing CA. How does role separation secure the key recovery process in the event of a lost EFS encryption key?
|
|
2. | You are designated as a certificate manager for the CA that enables private key archival in your CA hierarchy. One of your roles is to determine the KRA for each certificate that has an archived private key. What can you use to determine the KRA for each private key that is archived in the CA database? (Choose all that apply.)
|
|
Answers
1. | a. When you implement role separation, a certificate manager must extract the encrypted private key from the CA database and determine which KRAs can recover the private key. The KRA recovers the private key and distributes it to the original user. |
2. | b and e. Use certutil -getkey or the Key Recovery Tool to determine the KRA for an archived private key. |
Page
7-60
1. | How will you ensure that users in the Coho Winery research department can send secure e-mail messages?
|
|
2. | How will you ensure that when users leave the Coho Winery research department they are no longer able to send secure e-mail messages?
|
|
3. | How will you reconfigure users in the Coho Winery research department when a new requirement for secure e-mail, such as a longer key, is introduced?
|
|
Answers
1. | b. By using a certificate template that supports secure e-mail (S/MIME) and allowing users to autoenroll for certificates based on the template, you ensure that the required users have a certificate that meets their needs. |
2. | a. To send secure e-mail messages, users must have certificates that support S/MIME on their computers. Even if one of these certificates is revoked, it will remain on the computer unless it is deleted manually. By configuring Group Policy to remove the revoked certificate, the administrator can simply perform the revocation and not worry about manually deleting certificates from client computers. |
3. | b. When certificate requirements change, a certificate template can be modified to include the new requirement. By instructing all users to re-enroll for certificates based on the new template, you ensure that users always have certificates that meet the current requirements. |
Page
7-62
1. | What tool can you use to identify the problem? |
|
2. | What is the source of the problem? |
|
3. | How will you resolve the problem? |
|
Answers
1. | The first tool you should use is Event Viewer. If you have enabled auditing as described in Lesson 1, Event Viewer will show a failure audit in the Security event log on Computer1 with the description 'Certificate Services denied a certificate request.' That does not help you troubleshoot the problem, but it does verify it. Certificate Services has also added a Warning event to the Application event log. This event provides a more useful description: 'Certificate Services denied request 19 because The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name.' |
2. | The problem is caused by the Subject Name requirements of the User-Archived Key certificate template. To view these requirements, use the Certificate Templates snap-in to view the User- Archived Key security template properties, and then click the Subject Name tab. The default settings, which specify to build the subject name from Active Directory information, are still selected. By default, this includes the user's e-mail address. Because the users created in this chapter do not have e-mail addresses specified, they cannot enroll for the certificate. |
3. | If your organization requires all user accounts to have e-mail addresses, you should resolve the problem by assigning an e-mail address to the account. Otherwise, you should change the Subject Name requirements on the certificate template to remove the dependency on the e-mail address. Specifically, you should clear both the E-Mail Name check box and the Include E-Mail Name In Subject Name check box. |
| < Day Day Up > |
|