Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
15 Cards in this Set
- Front
- Back
|
is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI) |
Online Certificate Status Protocol (OCSP) |
|
|
What list does a CRL Distribution Point host? |
#1.CRL- a list of a certificates that have been revoked on a specific CA (Publishes every 7 days) #2. Delta CRL- a list of all certiificates that have been revoke since the publication of the last CRL |
|
|
How does the CRL process work? |
When a new certificate is encountered, the operating system performs a check against the certificate server that issued the certificate to determine if the certificate has been revoked. |
|
|
We specify the CRL on the extension tab of the CA's properties, what 4 locations can the CRL be published? |
#1.C:\Windows\system32\CertSrv\CertEnroll\CAName\CRLNameSuffix #2.Ldap #3.http #4.File |
|
|
What should we consider when configuring CDPs (Certificate Revocation List Distribution Points) |
#1.If we are publishing certificates that will be used by third parties, ensure that a CDP is in a location that is accesible to those third parties #2.We need to configure an alternative AIA point if we are implementing an Online Responder #3.Consider publishing the CDP to a DFS share especially in distributed environments with lost of sites. |
|
|
allow certificate revocation checks to occur without requiring that the client download the entire CRL and deltaCRL |
Online Responders *Rather than a client checking the whole CRL, a client can send a certificate-specific query, which reduces the load on the CA and the client. *Vista and up* |
|
|
How do we deploy an Online Responder? |
#1.The computer hosting the online responder also needs to host IIS. #2.We need to configure the OSCP Respone Signing Certificate template so that the computer hosting the online responder is able to request the certificate. #3.We must configure the CA that will use the online responder so that the AIA extension points have been configured will be able to use the online responder. |
|
|
What can online responder do besided allowing cert revocation checks? |
#1. They can service more than one CA #2. Can be deployed in an array configuration to ensure high availability. #3. A single CA can publish revocation info to multiple online responders. |
|
|
What modification do you need to make on the CA if you want to use an online responder? |
Modify the "AIA" extension to point to the online responder URl if you want to use an online responder. |
|
|
When implementing Administrative Role Separation, where can we restrict which security principals are able to perform certificate management tasks? |
On the Certifificate Managers tab |
|
|
What permission does a user need to have to Manage the CA? |
Manage CA permission ; allows them to configuring security, issue certificates, alter recovery agents, extensions...etc |
|
|
What should we do to have sensitive templates such as "key & data recovery" managed by a small group of users? |
Configure certificate managers and assign specific permissions, so that they only have the right to use these specific templates |
|
|
What security group, does a user need to be assigned to backup a CA? |
member of the "Backup Operators" or assigned the Manage CA permission. |
|
|
How do we backup a CA using the Certification Authority console? |
#1. Click the CA in Certification Authority>Actions Menu>All Tasks> Backup CA #2.On the "items to backup page", choose from: -"Private Key and CA Certificate"(backs up Ca private and public keys, enables you to restore the CA on a different computer.) -"Certificate Database and Certificate Database Log"(enables you to recover the public keys of certificates that the CA has issued. If key archiving is enabled, we can recover the private keys of the certificates -Location: Enables us to specify a backup location #4.Select a password |
|
|
How do we perform a backup of a CA using the command line? |
Certutil -backup c:\backup |
