Your company implemented an on-premise public key infrastructure (PKI). Certificates are issued directly by a root certificate authority (CA) with a self-signed certificate. Which of the following statements is correct?
A. The certificate of root CA shall be deployed to all servers only.
B. The certificate of root CA and its private key can be packaged into the same file.
C. The root CA manages all key pairs (public and private keys) of users.
D. The root CA issues certificates with a digital signature signed by its public key.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The certificate of root CA and its private key can be packaged into the same file.
PKCS #12 files are commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
- The certificate of root CA shall be deployed to not only servers but all hosts.
- A private key shall always be kept secret by the user. It will not be sent to the root CA for storage.
- Certificates are signed by the CA using its private key.
In cryptography, PKCS stands for “Public Key Cryptography Standards”. These are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. (Wikipedia)
PKCS #10: Certification Request Syntax Specification
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a registration authority of the public key infrastructure in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).
The following is a sample certificate signing request (CSR):
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
PKCS #7: Cryptographic Message Syntax
In cryptography, “PKCS #7: Cryptographic Message Syntax” (a.k.a. “CMS”) is a standard syntax for storing signed and/or encrypted data.
PKCS #7 files may be stored both as raw DER format or as PEM format. PEM format is the same as DER format but wrapped inside Base64 encoding and sandwiched in between —–BEGIN PKCS7—– and —–END PKCS7—–. Windows uses the “.p7b” file name extension for both these encodings.
A typical usage of an PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).
PKCS #12: Personal Information Exchange Syntax
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
The filename extension for PKCS #12 files is .p12 or .pfx. PKCS #12 is the successor to Microsoft’s “PFX”; however, the terms “PKCS #12 file” and “PFX file” are sometimes used interchangeably. The PFX format has been criticized for being one of the most complex cryptographic protocols.
- Certificate authority
- Self-signed certificate
- Digital Certificate
- Where Is Your Private Key?
- PKCS #10 (Certification Request Standard)
- PKCS #7 (Cryptographic Message Syntax Standard)
- PKCS #12 (Personal Information Exchange Syntax Standard)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
您的公司實施了本地公鑰基礎結構（PKI）。 憑書由自簽憑證(self-signed certificate)的的根憑證簽發機構（CA）直接頒發。 下列哪種說法是正確的？