| < Day Day Up > |
|
1. | What is a X.509 digital certificate?
|
|
2. | Which of the following applications would require that a PKI architecture be in place? (Choose all the apply.)
|
|
3. | What are the four possible ways of designing a CA hierarchy?
|
|
4. | Which of the following ways can you use to enroll for a certificate with a stand-alone CA?
|
|
5. | Which operating systems can be used to perform autoenrollment with an enterprise CA? (Choose all that apply.)
|
|
6. | What are the three possible roles for a CA in the organization?
|
|
7. | What auditing setting must be enabled to allow CA-specific auditing through the Certification Authority console?
|
|
8. | Which of the following reasons would you use in choosing to revoke a certificate? (Choose all that apply.)
|
|
9. | What are the four roles that perform administrative tasks on a Windows Server 2003 CA server?
|
|
10. | Why should you perform role separation on a CA server?
|
|
Answers
1. | B. A certificate contains fields that identify the subject (owner of the certificate) and the subject’s public key. The certificate is then signed by a certificate authority that verified the information so all clients that trust the CA can trust the information in the certificate. |
2. | A, B, D, F. You would need to use certificates in applications that require authentication of the user, a digital signature, or encryption without the exchange of keys through some other means. Smart card logon verifies the identity of the user through a certificate and a PIN or password, referred to as two-factor authentication. EFS requires a certificate to verify the owner of a file and the encrypting keys. IP security requires encryption and the validation of the client and the server, which will require a certificate. Secure e-mail supports digital signatures and encrypted e-mail requires PKI. |
3. | A, C, D, E. Depending on the management or legal needs of the organization, you will need to design a CA hierarchy based on the organization (employee, contractors, partner), geography (USA, France, Asia), function (S/MIME, EFS, smart card), or department (Marketing, Finance, Accounting). |
4. | A. You would use a web enrollment page to request, renew, and manage certificates that are used in the organization. |
5. | A, C. Windows XP and Windows Server 2003 are the only two operating systems that support autoenrollment for certificates with a Windows Server 2003 enterprise CA server. |
6. | A, B, D. You can have three different roles for a CA in an organization: root, intermediate, and issuing. The root CA is responsible for signing all certificates issued in the PKI and is the most trusted CA. The intermediate CA is used to approve requests for enrollment and renewal of certificates. The issuing CA is responsible for issuing or deploying the certificate and CRL to the clients. |
7. | B. You would need to enable Success and Failure on the Audit Object Access setting to make it possible to audit file, Registry, or CA auditing. You then would set the audit property on the item you would like to audit. |
8. | A, D, F. You would need to issue new certificates if the CA or private key was compromised. If you retire the CA, you will need to revoke the old certificate and issue the new CA’s certificate. |
9. | B, D, F, G. The CA Administrator can configure the CA server, manage permissions, and renew CA certificates. The Certificate Manager role can initiate a key recovery, manage certificate enrollment, and revoke certificates. The Backup Operator can back up and restore the CA databases. The Auditor can read the security log and configure auditing. |
10. | B. You distribute the administrative function of the CA servers among four different roles. This will minimize damage done to the CA hierarchy if one of the administrator accounts were infiltrated. |
| < Day Day Up > |
|