1. What is the primary purpose of Public Key Infrastructure (PKI)?
A) Encrypting passwords only
B) Managing cryptographic keys and certificates
C) Replacing firewalls in a network
D) Creating private networks
✅ Answer: B) Managing cryptographic keys and certificates
🔹 Explanation: PKI is designed to issue, manage, revoke, and distribute digital certificates to establish a secure environment for encrypted communication.
2. Which component of PKI is responsible for issuing digital certificates?
A) Certificate Authority (CA)
B) Registration Authority (RA)
C) Key Distribution Center (KDC)
D) Directory Service
✅ Answer: A) Certificate Authority (CA)
🔹 Explanation: The Certificate Authority (CA) is the trusted entity that issues digital certificates after verifying an entity’s identity.
3. What type of key is stored in a digital certificate?
A) Private Key
B) Public Key
C) Symmetric Key
D) Master Key
✅ Answer: B) Public Key
🔹 Explanation: A digital certificate contains the public key of the entity, which can be used by others to verify signatures and encrypt messages.
4. Which cryptographic protocol ensures that a certificate is valid and has not been revoked?
A) TLS
B) OCSP
C) AES
D) MD5
✅ Answer: B) OCSP
🔹 Explanation: The Online Certificate Status Protocol (OCSP) is used to check the revocation status of a certificate in real time.
5. What is the purpose of a Certificate Signing Request (CSR)?
A) To generate a private key
B) To revoke an existing certificate
C) To request a digital certificate from a CA
D) To encrypt data
✅ Answer: C) To request a digital certificate from a CA
🔹 Explanation: A CSR is a file sent to a Certificate Authority (CA) containing the public key and identity details of the entity requesting a certificate.
6. Which certificate format is commonly used for web servers and is base64 encoded?
A) .pfx
B) .der
C) .pem
D) .csr
✅ Answer: C) .pem
🔹 Explanation: PEM (Privacy-Enhanced Mail) is a base64-encoded certificate format commonly used for TLS/SSL certificates.
7. What is a self-signed certificate?
A) A certificate issued by a trusted CA
B) A certificate signed by the same entity that created it
C) A certificate that expires after 10 years
D) A certificate used only for email encryption
✅ Answer: B) A certificate signed by the same entity that created it
🔹 Explanation: A self-signed certificate is created and signed by an entity itself rather than by a trusted CA, making it unsuitable for public trust.
8. What is the primary purpose of a Root Certificate Authority (Root CA)?
A) To issue certificates to end users
B) To verify and sign subordinate CA certificates
C) To store private keys for users
D) To encrypt all internet traffic
✅ Answer: B) To verify and sign subordinate CA certificates
🔹 Explanation: A Root CA is the top-level authority that signs the certificates of intermediate/subordinate CAs, forming a trust hierarchy.
9. Which type of certificate allows multiple subdomains to be secured under a single certificate?
A) Extended Validation (EV) Certificate
B) Wildcard Certificate
C) Self-Signed Certificate
D) Domain Validation (DV) Certificate
✅ Answer: B) Wildcard Certificate
🔹 Explanation: A Wildcard Certificate allows securing multiple subdomains using a single certificate (e.g., *.example.com).
10. Which standard defines the format of digital certificates in PKI?
A) SSL/TLS
B) X.509
C) SHA-256
D) RSA
✅ Answer: B) X.509
🔹 Explanation: The X.509 standard defines the structure of digital certificates, including fields such as issuer, subject, validity period, and public key.
11. What happens when a certificate expires?
A) It remains valid indefinitely
B) It can still be used for decryption
C) It can no longer be trusted or used for authentication
D) It automatically renews itself
✅ Answer: C) It can no longer be trusted or used for authentication
🔹 Explanation: Expired certificates are considered untrusted, leading to security warnings in browsers and preventing secure connections.
12. What is the maximum validity period for SSL/TLS certificates, as per industry standards?
A) 10 years
B) 5 years
C) 2 years
D) 1 year
✅ Answer: D) 1 year
🔹 Explanation: Since 2020, the maximum validity period for SSL/TLS certificates has been limited to 398 days (~1 year).
13. What is the purpose of an Intermediate CA?
A) To act as a backup for the Root CA
B) To issue certificates on behalf of the Root CA
C) To generate public keys for users
D) To validate DNS records
✅ Answer: B) To issue certificates on behalf of the Root CA
🔹 Explanation: An Intermediate CA sits between the Root CA and end users, helping distribute trust while keeping the Root CA secure.
14. Which type of certificate provides the highest level of trust and verification?
A) Domain Validation (DV) Certificate
B) Organization Validation (OV) Certificate
C) Extended Validation (EV) Certificate
D) Wildcard Certificate
✅ Answer: C) Extended Validation (EV) Certificate
🔹 Explanation: EV Certificates require rigorous identity verification and display a green address bar in browsers.
15. Which cryptographic algorithm is most commonly used for generating digital signatures in certificates?
A) DES
B) RSA
C) MD5
D) SHA-1
✅ Answer: B) RSA
🔹 Explanation: RSA is the most widely used algorithm for digital signatures and key exchange in PKI.
16. What is key escrow in PKI?
A) The process of backing up encryption keys securely
B) The immediate revocation of a certificate
C) A method to share keys with unauthorized users
D) A technique for hashing passwords
✅ Answer: A) The process of backing up encryption keys securely
🔹 Explanation: Key escrow involves storing encryption keys with a trusted third party for recovery in case of loss.
17. Which mechanism is used to revoke a compromised certificate?
A) HSTS
B) CRL and OCSP
C) DNSSEC
D) AES
✅ Answer: B) CRL and OCSP
🔹 Explanation: The Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) allow checking for revoked certificates.
18. What happens if a certificate authority (CA) is compromised?
A) All certificates remain trusted
B) The CA’s root certificate must be removed from trusted stores
C) The CA can issue more secure certificates
D) Nothing happens
✅ Answer: B) The CA’s root certificate must be removed from trusted stores
🔹 Explanation: If a CA is compromised, all certificates issued by it become untrustworthy.
19. What does SAN (Subject Alternative Name) in a certificate allow?
A) Multiple domain names in one certificate
B) Stronger encryption
C) Faster SSL handshakes
D) Self-signing
✅ Answer: A) Multiple domain names in one certificate
🔹 Explanation: SAN enables securing multiple domain names under a single SSL certificate.
20. What is the role of a HSM (Hardware Security Module) in PKI?
A) Storing and managing cryptographic keys securely
B) Encrypting all web traffic
C) Generating digital certificates
D) Validating DNS records
✅ Answer: A) Storing and managing cryptographic keys securely
🔹 Explanation: HSMs are physical devices that store and manage private keys securely.
21. Which PKI component is responsible for verifying an entity’s identity before issuing a certificate?
A) Certificate Authority (CA)
B) Registration Authority (RA)
C) Certificate Revocation List (CRL)
D) Hardware Security Module (HSM)
✅ Answer: B) Registration Authority (RA)
🔹 Explanation: The Registration Authority (RA) verifies the identity of an entity before approving a certificate request, acting as an intermediary between the user and the CA.
22. What is the primary difference between a Domain Validation (DV) and an Organization Validation (OV) certificate?
A) DV requires business verification, while OV does not
B) OV provides higher trust by verifying business identity, whereas DV only verifies domain ownership
C) DV is used for financial transactions, while OV is not
D) OV certificates expire faster than DV certificates
✅ Answer: B) OV provides higher trust by verifying business identity, whereas DV only verifies domain ownership
🔹 Explanation: DV certificates only validate that the requester owns the domain, while OV certificates involve additional checks on the organization’s legitimacy.
23. Which PKI standard is used for digital signatures and encryption in email communication?
A) TLS
B) S/MIME
C) OCSP
D) SHA-256
✅ Answer: B) S/MIME
🔹 Explanation: Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting and digitally signing email communications.
24. What does the term “chain of trust” mean in PKI?
A) The process of using multiple cryptographic keys for encryption
B) The hierarchical structure where trust flows from a Root CA to subordinate CAs and end-user certificates
C) The method of encrypting certificates for security
D) The process of revoking certificates when they expire
✅ Answer: B) The hierarchical structure where trust flows from a Root CA to subordinate CAs and end-user certificates
🔹 Explanation: In PKI, a chain of trust ensures that an end-user certificate is validated by verifying the Root CA and its subordinate Intermediate CAs.
25. What happens if a digital certificate’s private key is compromised?
A) The CA must issue a new public key
B) The certificate must be revoked immediately
C) The private key can be changed without affecting the certificate
D) The certificate remains valid
✅ Answer: B) The certificate must be revoked immediately
🔹 Explanation: If a private key is compromised, the certificate must be revoked to prevent unauthorized use.
26. Which type of cryptographic key is kept secret in asymmetric encryption?
A) Public Key
B) Private Key
C) Shared Key
D) Master Key
✅ Answer: B) Private Key
🔹 Explanation: In asymmetric encryption, the private key must be kept secret, while the public key is shared for encryption or verification.
27. What is the role of the Subject field in a digital certificate?
A) Defines the cryptographic algorithm used
B) Specifies the entity (person, organization, or website) associated with the certificate
C) Stores the certificate’s serial number
D) Determines the certificate’s expiration date
✅ Answer: B) Specifies the entity (person, organization, or website) associated with the certificate
🔹 Explanation: The Subject field contains the name of the individual, company, or domain that owns the certificate.
28. Which security risk occurs when an expired certificate is still trusted?
A) Certificate Spoofing
B) Key Escrow Compromise
C) Certificate Misuse
D) Certificate Transparency
✅ Answer: C) Certificate Misuse
🔹 Explanation: Expired certificates can be exploited if systems still trust them, leading to potential man-in-the-middle (MITM) attacks.
29. What does a digital certificate’s validity period define?
A) The time frame within which the certificate is considered trustworthy
B) The time it takes to generate a new key pair
C) The frequency of certificate revocation checks
D) The expiration date of the CA
✅ Answer: A) The time frame within which the certificate is considered trustworthy
🔹 Explanation: Certificates have an expiration date after which they are no longer trusted.
30. What is certificate pinning?
A) The process of storing a certificate permanently on a system
B) Hardcoding a specific certificate’s public key to prevent MITM attacks
C) A method of revoking certificates
D) A backup mechanism for lost certificates
✅ Answer: B) Hardcoding a specific certificate’s public key to prevent MITM attacks
🔹 Explanation: Certificate pinning ensures that only a specific trusted certificate is used, reducing the risk of MITM attacks.
31. What is the function of a CRL (Certificate Revocation List)?
A) It provides a list of trusted certificates
B) It contains a list of revoked certificates that are no longer trusted
C) It issues new certificates when old ones expire
D) It encrypts data in transit
✅ Answer: B) It contains a list of revoked certificates that are no longer trusted
🔹 Explanation: A CRL is maintained by a CA and lists all certificates that have been revoked.
32. What role does a timestamping authority (TSA) play in PKI?
A) Encrypts digital certificates
B) Provides a trusted timestamp to prove when data was signed
C) Issues domain validation certificates
D) Authenticates SSL/TLS connections
✅ Answer: B) Provides a trusted timestamp to prove when data was signed
🔹 Explanation: A TSA ensures that digital signatures and certificates are time-stamped, proving they were created at a specific time.
33. What does SSL/TLS certificate chaining rely on?
A) Symmetric encryption
B) Trust from a Root CA through Intermediate CAs to the end-user certificate
C) Blockchain technology
D) DNS records
✅ Answer: B) Trust from a Root CA through Intermediate CAs to the end-user certificate
🔹 Explanation: SSL/TLS certificates rely on a chain of trust, where Intermediate CAs help validate end-user certificates.
34. What is Perfect Forward Secrecy (PFS) in TLS?
A) A mechanism that ensures past encrypted sessions remain secure even if a private key is compromised
B) A method for fast certificate renewal
C) A type of wildcard certificate
D) A replacement for OCSP
✅ Answer: A) A mechanism that ensures past encrypted sessions remain secure even if a private key is compromised
🔹 Explanation: Perfect Forward Secrecy (PFS) ensures session keys are not reused, preventing attackers from decrypting past communications.
35. What happens when a browser encounters an untrusted certificate?
A) It automatically trusts the certificate
B) It blocks the connection and warns the user
C) It downloads a new trusted certificate
D) It redirects the user to a safe website
✅ Answer: B) It blocks the connection and warns the user
🔹 Explanation: Browsers block access and display warnings if a certificate is untrusted or expired.
36. What does a digital certificate bind together?
A) A user’s private key and public key
B) A public key with the identity of the certificate owner
C) A cryptographic hash with an encryption key
D) Two-factor authentication credentials
✅ Answer: B) A public key with the identity of the certificate owner
🔹 Explanation: A digital certificate binds an entity’s public key to its identity.
37. What is the primary purpose of a digital signature in PKI?
A) Encrypting the data being transmitted
B) Authenticating the identity of the sender and ensuring data integrity
C) Compressing data before transmission
D) Encrypting the private key
✅ Answer: B) Authenticating the identity of the sender and ensuring data integrity
🔹 Explanation: A digital signature provides authentication, integrity, and non-repudiation by verifying that data has not been altered.
38. What is the function of a Certificate Policy (CP)?
A) Specifies how certificates are issued, managed, and revoked
B) Encrypts digital certificates for secure storage
C) Defines the expiration period of all digital certificates
D) Determines how browsers validate SSL/TLS certificates
✅ Answer: A) Specifies how certificates are issued, managed, and revoked
🔹 Explanation: A Certificate Policy (CP) defines rules for issuing, renewing, and revoking certificates within a PKI system.
39. What is the difference between OCSP and CRL in PKI?
A) OCSP provides real-time certificate validation, while CRL is a static list of revoked certificates
B) CRL is faster than OCSP for checking revocation status
C) OCSP is used only for email encryption, while CRL is for web encryption
D) CRL requires an active internet connection, while OCSP does not
✅ Answer: A) OCSP provides real-time certificate validation, while CRL is a static list of revoked certificates
🔹 Explanation: OCSP (Online Certificate Status Protocol) checks certificate validity in real time, while CRL (Certificate Revocation List) is a periodically updated list of revoked certificates.
40. What is an Extended Validation (EV) SSL certificate?
A) A certificate that provides the highest level of verification and trust
B) A certificate that expires faster than regular SSL certificates
C) A self-signed certificate for internal use
D) A certificate used for encrypting emails
✅ Answer: A) A certificate that provides the highest level of verification and trust
🔹 Explanation: EV SSL certificates require rigorous identity verification, making them more trustworthy for users.
41. What does an asymmetric cryptographic system require?
A) A shared secret key
B) A single key for encryption and decryption
C) A pair of keys: a public key and a private key
D) A hardware token
✅ Answer: C) A pair of keys: a public key and a private key
🔹 Explanation: Asymmetric cryptography uses a public-private key pair where the public key encrypts, and the private key decrypts.
42. Which of the following can be found in an X.509 certificate?
A) Domain Name, Public Key, Issuer Name, Expiry Date
B) Private Key, MAC Address, IP Address
C) User Passwords, Symmetric Key, Expiry Date
D) DNS Records, Network Logs, Key Escrow Information
✅ Answer: A) Domain Name, Public Key, Issuer Name, Expiry Date
🔹 Explanation: X.509 certificates contain the domain name, public key, issuer details, and validity period.
43. What is the role of a Key Management System (KMS) in PKI?
A) Managing, storing, and distributing cryptographic keys securely
B) Encrypting email messages
C) Replacing expired certificates automatically
D) Detecting cyber threats
✅ Answer: A) Managing, storing, and distributing cryptographic keys securely
🔹 Explanation: KMS ensures secure generation, storage, and lifecycle management of cryptographic keys.
44. What does PKCS stand for in PKI?
A) Public Key Cryptography Standards
B) Public Key Certificate Security
C) Private Key Certificate Signing
D) Public Key Chain Signing
✅ Answer: A) Public Key Cryptography Standards
🔹 Explanation: PKCS (Public Key Cryptography Standards) is a set of standards defining secure cryptographic techniques.
45. What is a Root CA certificate?
A) A self-signed certificate that acts as the foundation of trust in PKI
B) A certificate used for encrypting files
C) A certificate valid for only 30 days
D) A certificate used for wireless network authentication
✅ Answer: A) A self-signed certificate that acts as the foundation of trust in PKI
🔹 Explanation: A Root Certificate Authority (CA) certificate is the highest level in the trust hierarchy of PKI.
46. Which field in an X.509 certificate ensures it was issued for a specific purpose?
A) Subject Alternative Name (SAN)
B) Key Usage
C) Public Key Algorithm
D) Issuer Organization
✅ Answer: B) Key Usage
🔹 Explanation: The Key Usage field specifies whether a certificate is for digital signatures, key encipherment, or certificate signing.
47. What does PKI use to ensure data confidentiality?
A) Digital Signatures
B) Hashing
C) Encryption
D) Key Escrow
✅ Answer: C) Encryption
🔹 Explanation: Encryption ensures that only authorized parties can access protected data in PKI.
48. What happens when a CA’s private key is compromised?
A) Only affected certificates are revoked
B) The entire trust hierarchy may be compromised
C) The public key is regenerated
D) The certificates remain valid
✅ Answer: B) The entire trust hierarchy may be compromised
🔹 Explanation: If a CA’s private key is compromised, all certificates issued by it become untrustworthy.
49. Which type of certificate provides security for multiple domains under one certificate?
A) Wildcard Certificate
B) SAN Certificate
C) EV Certificate
D) Root Certificate
✅ Answer: B) SAN Certificate
🔹 Explanation: Subject Alternative Name (SAN) certificates allow securing multiple domains under a single certificate.
50. What does an entity use to prove its identity when requesting a certificate from a CA?
A) Digital Signature
B) Certificate Signing Request (CSR)
C) TLS Handshake
D) OCSP Query
✅ Answer: B) Certificate Signing Request (CSR)
🔹 Explanation: A CSR is generated with a public key and identity details and submitted to a CA.
51. What mechanism does PKI use to verify the integrity of a message?
A) Symmetric Encryption
B) Digital Signatures
C) MAC Addressing
D) Key Wrapping
✅ Answer: B) Digital Signatures
🔹 Explanation: Digital signatures ensure message integrity, authenticity, and non-repudiation.
52. Which PKI technology helps prevent phishing and impersonation attacks?
A) HSTS
B) Domain Validation (DV) Certificates
C) DNSSEC
D) Extended Validation (EV) Certificates
✅ Answer: D) Extended Validation (EV) Certificates
🔹 Explanation: EV certificates require strict verification and help prevent phishing.
53. Which key length is recommended for RSA encryption to ensure strong security?
A) 1024-bit
B) 2048-bit
C) 512-bit
D) 4096-bit
✅ Answer: B) 2048-bit
🔹 Explanation: 2048-bit RSA keys are the minimum recommended for strong encryption and security.
54. What is the primary function of a subordinate (intermediate) Certificate Authority (CA)?
A) Issue certificates on behalf of the Root CA
B) Encrypt TLS traffic
C) Replace expired SSL certificates automatically
D) Manage key pairs for users
✅ Answer: A) Issue certificates on behalf of the Root CA
🔹 Explanation: Intermediate CAs are used to issue certificates on behalf of the Root CA, reducing the risk of compromising the Root CA.
55. In PKI, what is a digital certificate primarily used for?
A) Storing encryption keys
B) Authenticating an entity and providing a public key for secure communication
C) Encrypting large files
D) Managing network connections
✅ Answer: B) Authenticating an entity and providing a public key for secure communication
🔹 Explanation: A digital certificate helps establish trust by authenticating an entity and providing a public key for secure communication.
56. Which attack can occur if an expired certificate is still accepted as valid?
A) SQL Injection
B) Man-in-the-Middle (MITM) Attack
C) Buffer Overflow
D) Clickjacking
✅ Answer: B) Man-in-the-Middle (MITM) Attack
🔹 Explanation: An MITM attack can occur if an expired certificate is still trusted, allowing attackers to intercept and manipulate communications.
57. What is the function of the Subject Alternative Name (SAN) field in a digital certificate?
A) It allows multiple domain names to be covered under one certificate
B) It encrypts the certificate for security
C) It defines the key strength of the encryption
D) It determines the expiration date of the certificate
✅ Answer: A) It allows multiple domain names to be covered under one certificate
🔹 Explanation: SAN certificates allow securing multiple domain names in a single SSL/TLS certificate.
58. What cryptographic concept ensures that a digital signature cannot be forged?
A) Symmetric Key Encryption
B) Asymmetric Cryptography and Hashing
C) Steganography
D) MAC Address Filtering
✅ Answer: B) Asymmetric Cryptography and Hashing
🔹 Explanation: Digital signatures use asymmetric cryptography and hashing to ensure authenticity and non-repudiation.
59. Which component in PKI is used for securely storing and managing private keys?
A) DNS Server
B) Web Application Firewall (WAF)
C) Hardware Security Module (HSM)
D) Intrusion Detection System (IDS)
✅ Answer: C) Hardware Security Module (HSM)
🔹 Explanation: An HSM is a specialized hardware device used for securely managing cryptographic keys.
60. What happens if a digital certificate is revoked?
A) It remains valid for encryption but not authentication
B) It cannot be used for secure communication anymore
C) It can be renewed automatically
D) It continues to work until it expires
✅ Answer: B) It cannot be used for secure communication anymore
🔹 Explanation: Revoked certificates are no longer trusted, preventing them from being used for authentication or encryption.
61. What type of certificate is commonly used to secure email communication?
A) EV SSL Certificate
B) S/MIME Certificate
C) Wildcard Certificate
D) DNSSEC Certificate
✅ Answer: B) S/MIME Certificate
🔹 Explanation: Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates are used for email encryption and digital signing.
62. In PKI, what is a Certificate Transparency (CT) log used for?
A) To detect fraudulent or misissued certificates
B) To encrypt TLS traffic
C) To store expired certificates for analysis
D) To manage user passwords
✅ Answer: A) To detect fraudulent or misissued certificates
🔹 Explanation: Certificate Transparency (CT) logs help in detecting and preventing unauthorized or fraudulent certificate issuance.
63. What is a TLS handshake responsible for?
A) Establishing a secure communication channel between a client and a server
B) Encrypting stored passwords
C) Managing firewall rules
D) Detecting phishing websites
✅ Answer: A) Establishing a secure communication channel between a client and a server
🔹 Explanation: A TLS handshake is the process where a client and server negotiate encryption settings and establish a secure connection.
64. What is the purpose of the Extended Key Usage (EKU) field in an X.509 certificate?
A) It specifies the allowed purposes of the certificate, such as code signing or server authentication
B) It encrypts the private key for security
C) It determines the hashing algorithm used
D) It stores the certificate’s CRL information
✅ Answer: A) It specifies the allowed purposes of the certificate, such as code signing or server authentication
🔹 Explanation: Extended Key Usage (EKU) defines specific purposes for which a digital certificate can be used.
65. Which key is used to verify a digital signature in PKI?
A) Private Key
B) Public Key
C) Symmetric Key
D) Session Key
✅ Answer: B) Public Key
🔹 Explanation: A public key is used to verify digital signatures, ensuring the authenticity and integrity of the signed data.
66. What does a wildcard SSL certificate secure?
A) A single domain only
B) A specific subdomain
C) A domain and all its subdomains
D) Multiple unrelated domains
✅ Answer: C) A domain and all its subdomains
🔹 Explanation: Wildcard SSL certificates secure a domain and all its subdomains (e.g., *.example.com covers mail.example.com, blog.example.com, etc.).
67. How does a browser validate a website’s SSL certificate?
A) By checking the certificate against a list of trusted Root CAs
B) By performing a brute-force attack on the certificate
C) By comparing the certificate with firewall rules
D) By verifying the server’s MAC address
✅ Answer: A) By checking the certificate against a list of trusted Root CAs
🔹 Explanation: Browsers validate SSL certificates by verifying the certificate chain against their list of trusted Root CAs.
68. What is a Cross-Signed Certificate?
A) A certificate that is signed by two different Certificate Authorities (CAs)
B) A certificate used for internal network security only
C) A certificate that encrypts both emails and websites
D) A self-signed certificate with an extended expiration date
✅ Answer: A) A certificate that is signed by two different Certificate Authorities (CAs)
🔹 Explanation: Cross-signed certificates help transition from one CA to another while maintaining compatibility.
69. Why are longer key lengths (e.g., 4096-bit RSA) not always preferred?
A) They decrease security
B) They increase computational overhead and slow performance
C) They cannot be used for encryption
D) They prevent revocation
✅ Answer: B) They increase computational overhead and slow performance
🔹 Explanation: Longer key lengths (e.g., 4096-bit RSA) offer better security but increase computational overhead, making them slower.
70. What role does the serial number play in an X.509 certificate?
A) It uniquely identifies the certificate
B) It encrypts the public key
C) It defines the certificate’s key usage
D) It acts as the private key
✅ Answer: A) It uniquely identifies the certificate
🔹 Explanation: The serial number is a unique identifier assigned to each X.509 certificate by the CA.
71. What is a dual-key pair in PKI used for?
A) One key for encryption and another for decryption
B) One key for signing and another for encryption
C) Two keys for decryption only
D) A backup key for disaster recovery
✅ Answer: B) One key for signing and another for encryption
🔹 Explanation: Some PKI systems use dual-key pairs, where one pair is used for encryption/decryption, and the other for signing/verification.
72. Which hashing algorithm is commonly used in digital certificates for ensuring integrity?
A) AES
B) SHA-256
C) RSA
D) DES
✅ Answer: B) SHA-256
🔹 Explanation: SHA-256 is commonly used in digital certificates to generate hash values, ensuring data integrity.
73. What is the purpose of the Distinguished Name (DN) in an X.509 certificate?
A) Identifies the certificate’s issuer and subject
B) Specifies the hashing algorithm used
C) Defines the encryption strength
D) Stores the certificate’s expiration date
✅ Answer: A) Identifies the certificate’s issuer and subject
🔹 Explanation: The Distinguished Name (DN) contains identifying information about the certificate owner and issuer.
74. What is the function of a Trust Anchor in PKI?
A) It serves as a root of trust for validating certificates
B) It encrypts the private key for security
C) It automatically renews expired certificates
D) It provides encryption keys for browsers
✅ Answer: A) It serves as a root of trust for validating certificates
🔹 Explanation: A Trust Anchor is usually the Root CA, which is inherently trusted in certificate validation.
75. What does PKI use to ensure non-repudiation?
A) Symmetric Encryption
B) Digital Signatures
C) Firewalls
D) SSL/TLS Handshakes
✅ Answer: B) Digital Signatures
🔹 Explanation: Digital signatures ensure that senders cannot deny sending a message, providing non-repudiation.
76. What is a Code Signing Certificate used for?
A) Verifying the authenticity and integrity of software
B) Encrypting data in transit
C) Securing email communications
D) Encrypting file storage
✅ Answer: A) Verifying the authenticity and integrity of software
🔹 Explanation: Code Signing Certificates are used to digitally sign software, proving that it has not been altered.
77. What does the Key Usage field in an X.509 certificate specify?
A) Allowed cryptographic operations (e.g., key encipherment, digital signature)
B) The expiration date of the certificate
C) The issuing CA’s name
D) The encryption algorithm used
✅ Answer: A) Allowed cryptographic operations (e.g., key encipherment, digital signature)
🔹 Explanation: The Key Usage field defines whether a certificate can be used for encryption, signing, or key agreement.
78. What is the purpose of an OCSP stapling?
A) Reduces the need for frequent OCSP queries by clients
B) Encrypts the private key in a certificate
C) Helps in key escrow management
D) Generates public-private key pairs
✅ Answer: A) Reduces the need for frequent OCSP queries by clients
🔹 Explanation: OCSP stapling allows servers to attach (staple) an OCSP response to the SSL/TLS handshake, improving performance and privacy.
79. What is a Cross-Certification Agreement in PKI?
A) A trust relationship between two different Certificate Authorities (CAs)
B) A method for encrypting certificates
C) A way to revoke multiple certificates at once
D) A process for extending certificate validity
✅ Answer: A) A trust relationship between two different Certificate Authorities (CAs)
🔹 Explanation: Cross-certification allows different CAs to trust each other’s certificates without a common Root CA.
80. What is an end-entity certificate?
A) A certificate issued to an individual, device, or server for authentication
B) A certificate used to sign other certificates
C) A Root CA certificate
D) A certificate used for encrypting CRLs
✅ Answer: A) A certificate issued to an individual, device, or server for authentication
🔹 Explanation: End-entity certificates are issued to users, systems, or devices for secure authentication and communication.
81. Why are self-signed certificates considered insecure for public websites?
A) They are not issued by a trusted CA
B) They use weak encryption
C) They do not support hashing
D) They cannot be revoked
✅ Answer: A) They are not issued by a trusted CA
🔹 Explanation: Self-signed certificates lack third-party validation, making them untrustworthy for public use.
82. What is a hardware token used for in PKI?
A) Storing cryptographic keys securely
B) Encrypting email messages
C) Managing SSL/TLS certificates
D) Generating a CRL
✅ Answer: A) Storing cryptographic keys securely
🔹 Explanation: Hardware tokens store private keys securely, protecting them from being extracted or copied.
83. What does a Root CA compromise mean for a PKI system?
A) All certificates issued by the CA become untrusted
B) Only expired certificates are affected
C) Encryption algorithms are changed
D) The certificates remain valid
✅ Answer: A) All certificates issued by the CA become untrusted
🔹 Explanation: If a Root CA is compromised, its entire trust hierarchy collapses, requiring certificate revocation.
84. What is the difference between a wildcard and a SAN certificate?
A) Wildcard covers subdomains, while SAN covers multiple domains
B) SAN only supports email encryption
C) Wildcard requires manual renewal
D) Wildcard certificates have shorter expiration periods
✅ Answer: A) Wildcard covers subdomains, while SAN covers multiple domains
🔹 Explanation: Wildcard certificates secure subdomains (*.example.com), while SAN certificates cover multiple distinct domains.
85. What does the term “certificate rollover” mean?
A) The process of replacing an expiring certificate with a new one
B) The automatic extension of a certificate’s expiration date
C) The encryption of certificates with a master key
D) A backup mechanism for SSL/TLS certificates
✅ Answer: A) The process of replacing an expiring certificate with a new one
🔹 Explanation: Certificate rollover refers to replacing an expiring certificate with a new one before expiration.
86. What is a CA certificate fingerprint used for?
A) Verifying the authenticity of a certificate
B) Encrypting TLS traffic
C) Managing key escrow
D) Generating private keys
✅ Answer: A) Verifying the authenticity of a certificate
🔹 Explanation: A certificate fingerprint is a unique hash used to verify a certificate’s authenticity and integrity.
87. Why is RSA still widely used in PKI despite newer algorithms?
A) It is highly compatible and widely supported
B) It is faster than modern encryption algorithms
C) It does not require key management
D) It supports 128-bit encryption
✅ Answer: A) It is highly compatible and widely supported
🔹 Explanation: RSA is widely used because it is highly compatible with existing infrastructure, despite newer algorithms like ECC.
88. Which certificate file format is typically used for Windows systems?
A) .pfx
B) .pem
C) .der
D) .crt
✅ Answer: A) .pfx
🔹 Explanation: PFX (Personal Information Exchange) format is commonly used in Windows for storing private keys and certificates.
89. What does a “leaf certificate” refer to in PKI?
A) The final certificate in a chain issued to an end-entity
B) A self-signed certificate
C) A backup certificate
D) A certificate used only for file encryption
✅ Answer: A) The final certificate in a chain issued to an end-entity
🔹 Explanation: A leaf certificate is the end-entity certificate in a certificate chain.
90. What is the primary advantage of Elliptic Curve Cryptography (ECC) over RSA?
A) It provides the same security with smaller key sizes
B) It replaces hashing algorithms
C) It does not require key pairs
D) It is not widely supported
✅ Answer: A) It provides the same security with smaller key sizes
🔹 Explanation: ECC offers strong security with smaller key sizes, making it more efficient than RSA.
91. What is the main advantage of using an HSM (Hardware Security Module) in PKI?
A) It securely generates, stores, and manages cryptographic keys
B) It acts as a firewall for SSL/TLS traffic
C) It replaces digital certificates with physical keys
D) It speeds up the SSL handshake process
✅ Answer: A) It securely generates, stores, and manages cryptographic keys
🔹 Explanation: HSMs provide highly secure key storage and management, ensuring that private keys are protected from theft or compromise.
92. Which entity is responsible for defining PKI policies and ensuring compliance?
A) Certificate Authority (CA)
B) Registration Authority (RA)
C) Policy Authority (PA)
D) Online Certificate Status Protocol (OCSP) Server
✅ Answer: C) Policy Authority (PA)
🔹 Explanation: The Policy Authority (PA) defines rules and policies for PKI operations, ensuring compliance with security standards.
93. What is the main function of a Root Certificate Authority (Root CA)?
A) To issue, sign, and revoke all certificates in a PKI hierarchy
B) To directly communicate with end-users for certificate issuance
C) To encrypt all network communications
D) To store private keys for all certificates
✅ Answer: A) To issue, sign, and revoke all certificates in a PKI hierarchy
🔹 Explanation: The Root CA is the top-tier authority that issues and signs certificates for Intermediate CAs and is the foundation of trust in PKI.
94. Why is it important to revoke compromised certificates immediately?
A) To prevent attackers from using them for malicious purposes
B) To allow their automatic renewal
C) To extend their expiration date
D) To ensure the certificate’s encryption remains strong
✅ Answer: A) To prevent attackers from using them for malicious purposes
🔹 Explanation: If a certificate is compromised, revoking it ensures it can no longer be trusted or used in man-in-the-middle (MITM) attacks.
95. What is the purpose of the Basic Constraints field in an X.509 certificate?
A) It defines whether the certificate can act as a CA or an end-entity
B) It specifies the encryption algorithm used
C) It stores the certificate’s expiration date
D) It determines the certificate’s key length
✅ Answer: A) It defines whether the certificate can act as a CA or an end-entity
🔹 Explanation: The Basic Constraints field indicates whether a certificate is a CA certificate (can issue other certificates) or an end-entity certificate.
96. What does “key escrow” refer to in PKI?
A) A system where encryption keys are securely stored by a trusted third party
B) A process of revoking digital certificates
C) A method of encrypting SSL/TLS keys
D) A way of automatically renewing certificates
✅ Answer: A) A system where encryption keys are securely stored by a trusted third party
🔹 Explanation: Key escrow allows encryption keys to be securely stored by a trusted third party, enabling key recovery if needed.
97. What is the function of a Timestamp Authority (TSA) in PKI?
A) To provide a trusted timestamp to prove when a document was signed
B) To encrypt private keys for added security
C) To revoke expired digital certificates
D) To store the certificate revocation list (CRL)
✅ Answer: A) To provide a trusted timestamp to prove when a document was signed
🔹 Explanation: A Timestamp Authority (TSA) provides a time-based validation of when a digital signature was applied, ensuring its validity.
98. What is the primary benefit of using an online CA compared to an offline CA?
A) Faster certificate issuance and validation
B) Reduced risk of key compromise
C) Increased encryption strength
D) Certificates do not expire
✅ Answer: A) Faster certificate issuance and validation
🔹 Explanation: Online CAs are actively available for issuing and verifying certificates, making them faster but also more vulnerable to attacks than offline CAs.
99. How does PKI help ensure the confidentiality of data?
A) By using encryption mechanisms to protect information
B) By generating firewall rules
C) By storing private keys in plaintext
D) By enabling HTTP traffic over the network
✅ Answer: A) By using encryption mechanisms to protect information
🔹 Explanation: PKI ensures confidentiality by encrypting data using public-private key cryptography.
100. What does “certificate chaining” mean in PKI?
A) The process of linking certificates in a hierarchical structure to verify trust
B) The renewal of an expired certificate with a new key pair
C) The revocation of a certificate by multiple CAs
D) The use of multiple certificates for the same domain
✅ Answer: A) The process of linking certificates in a hierarchical structure to verify trust
🔹 Explanation: Certificate chaining involves verifying a certificate’s trust by following the chain of trust from the end-entity certificate to the Root CA.
101. What is the primary function of an Intermediate Certificate Authority (CA)?
A) To act as a bridge between the Root CA and end-entity certificates
B) To generate private keys for users
C) To store encryption keys in a centralized database
D) To encrypt all internet communications
✅ Answer: A) To act as a bridge between the Root CA and end-entity certificates
🔹 Explanation: An Intermediate CA issues certificates on behalf of the Root CA, helping distribute trust and reduce risk if compromised.
102. Which attack can occur if a CA is compromised?
A) Phishing Attack
B) Man-in-the-Middle (MITM) Attack
C) SQL Injection
D) Buffer Overflow
✅ Answer: B) Man-in-the-Middle (MITM) Attack
🔹 Explanation: A compromised CA could issue fraudulent certificates, allowing attackers to impersonate trusted websites and perform MITM attacks.
103. What is the key characteristic of an Attribute Certificate (AC) in PKI?
A) It does not contain a public key but stores user attributes and permissions
B) It encrypts sensitive files
C) It is used for email communication only
D) It replaces digital signatures in PKI
✅ Answer: A) It does not contain a public key but stores user attributes and permissions
🔹 Explanation: Attribute Certificates (ACs) store user attributes and permissions but do not contain a public key, unlike X.509 certificates.
104. What is the maximum recommended validity period for TLS/SSL certificates as per industry standards?
A) 5 years
B) 3 years
C) 2 years
D) 1 year
✅ Answer: D) 1 year
🔹 Explanation: Since 2020, the maximum allowed TLS/SSL certificate validity is 398 days (~1 year) to improve security.
105. What is the purpose of a revocation reason code in a Certificate Revocation List (CRL)?
A) To indicate why a certificate was revoked
B) To extend the validity of the revoked certificate
C) To encrypt the revocation list
D) To enable auto-renewal of revoked certificates
✅ Answer: A) To indicate why a certificate was revoked
🔹 Explanation: CRLs include revocation reason codes, such as key compromise, CA compromise, or cessation of operation.
106. Which protocol is used for certificate enrollment in automated PKI environments?
A) OCSP
B) SCEP
C) SSH
D) AES
✅ Answer: B) SCEP
🔹 Explanation: Simple Certificate Enrollment Protocol (SCEP) automates the request and issuance of digital certificates.
107. What is the role of the Authority Key Identifier (AKI) field in an X.509 certificate?
A) It links a certificate to the issuing CA’s public key
B) It encrypts the private key
C) It defines the validity period of the certificate
D) It determines whether the certificate is self-signed
✅ Answer: A) It links a certificate to the issuing CA’s public key
🔹 Explanation: The AKI field helps systems identify the issuing CA by providing a link to its public key.
108. Which PKI component is responsible for storing issued certificates and their status?
A) Registration Authority (RA)
B) Certificate Repository
C) Certificate Policy Authority
D) Cryptographic Module
✅ Answer: B) Certificate Repository
🔹 Explanation: A Certificate Repository stores issued certificates, their status, and revocation information.
109. What is a Delta CRL used for in PKI?
A) It provides updates to a full CRL, containing only newly revoked certificates
B) It replaces a full CRL entirely
C) It issues new public keys for compromised certificates
D) It extends the validity of revoked certificates
✅ Answer: A) It provides updates to a full CRL, containing only newly revoked certificates
🔹 Explanation: Delta CRLs improve efficiency by listing only the certificates revoked since the last full CRL.
110. Why is a key escrow system sometimes used in enterprise PKI implementations?
A) To securely store encryption keys for recovery purposes
B) To automatically renew certificates
C) To encrypt SSL/TLS sessions
D) To generate public and private keys
✅ Answer: A) To securely store encryption keys for recovery purposes
🔹 Explanation: Key escrow allows authorized recovery of encryption keys, preventing data loss if keys are lost.
111. What is the function of an Issuer Distinguished Name (Issuer DN) in a certificate?
A) It identifies the Certificate Authority (CA) that issued the certificate
B) It encrypts the certificate’s public key
C) It defines the certificate’s expiration date
D) It determines the encryption strength
✅ Answer: A) It identifies the Certificate Authority (CA) that issued the certificate
🔹 Explanation: The Issuer DN specifies the name of the CA that issued the certificate.
112. What happens if a certificate does not contain a Subject Alternative Name (SAN)?
A) It can only be used for a single domain
B) It can be used for multiple domains
C) It cannot be used for encryption
D) It is automatically revoked
✅ Answer: A) It can only be used for a single domain
🔹 Explanation: SAN certificates allow multiple domain names under one certificate. Without SAN, the certificate is valid for only one domain.
113. What is a digital certificate’s thumbprint?
A) A unique hash value used to verify the integrity of the certificate
B) The certificate’s serial number
C) The private key of the certificate
D) A key used for encrypting digital signatures
✅ Answer: A) A unique hash value used to verify the integrity of the certificate
🔹 Explanation: A certificate thumbprint is a cryptographic hash that uniquely identifies a certificate.
114. What does Elliptic Curve Cryptography (ECC) offer over RSA?
A) Stronger security with shorter key lengths
B) Unlimited key size
C) Improved symmetric encryption
D) Compatibility with legacy systems
✅ Answer: A) Stronger security with shorter key lengths
🔹 Explanation: ECC provides strong encryption with smaller key sizes, making it more efficient than RSA.
115. Why should expired certificates be removed from a system?
A) To prevent potential security risks and MITM attacks
B) To free up disk space
C) To allow their reuse for encryption
D) To reduce SSL/TLS handshake time
✅ Answer: A) To prevent potential security risks and MITM attacks
🔹 Explanation: Expired certificates should be removed to avoid security risks, including MITM attacks.
116. What is the purpose of a Certificate Policy (CP) document in PKI?
A) It defines the rules for issuing, managing, and revoking certificates
B) It stores all issued certificates
C) It specifies the encryption algorithm used in the certificate
D) It defines the physical location of a CA
✅ Answer: A) It defines the rules for issuing, managing, and revoking certificates
🔹 Explanation: A Certificate Policy (CP) sets the requirements and practices for certificate issuance and management.
117. What is the function of the Certificate Path Validation (CPV) process?
A) It verifies the chain of trust from an end-entity certificate to a trusted Root CA
B) It extends the expiration date of certificates
C) It revokes compromised certificates
D) It encrypts certificate repositories
✅ Answer: A) It verifies the chain of trust from an end-entity certificate to a trusted Root CA
🔹 Explanation: CPV ensures that a certificate can be traced back to a trusted Root CA.
118. What is the primary advantage of using Online Certificate Status Protocol (OCSP) over Certificate Revocation Lists (CRLs)?
A) OCSP provides real-time revocation status, while CRLs must be downloaded periodically
B) OCSP is easier to implement than CRLs
C) CRLs provide faster response times than OCSP
D) OCSP does not require a trusted Certificate Authority (CA)
✅ Answer: A) OCSP provides real-time revocation status, while CRLs must be downloaded periodically
🔹 Explanation: OCSP is more efficient than CRLs because it allows real-time checking of a certificate’s revocation status without downloading an entire revocation list.
119. What does the Subject Key Identifier (SKI) field in an X.509 certificate provide?
A) A unique identifier for the certificate’s public key
B) A fingerprint of the certificate issuer
C) The certificate’s expiration date
D) The digital signature of the issuing CA
✅ Answer: A) A unique identifier for the certificate’s public key
🔹 Explanation: The Subject Key Identifier (SKI) field provides a unique fingerprint for the certificate’s public key, helping to identify key relationships.
120. What type of encryption is used in SSL/TLS certificates for key exchange?
A) Asymmetric encryption
B) Symmetric encryption
C) Hash-based encryption
D) One-time pad encryption
✅ Answer: A) Asymmetric encryption
🔹 Explanation: SSL/TLS certificates use asymmetric encryption for secure key exchange, after which a symmetric key is used for data encryption.
121. What is the main purpose of a Certificate Signing Request (CSR)?
A) To request a digital certificate from a Certificate Authority
B) To revoke an issued certificate
C) To encrypt email messages
D) To generate a symmetric encryption key
✅ Answer: A) To request a digital certificate from a Certificate Authority
🔹 Explanation: A CSR is a formal request that contains public key details and identity information for obtaining a digital certificate.
122. How does Certificate Pinning enhance security?
A) It prevents users from accessing websites without valid SSL/TLS certificates
B) It ensures a website only uses a specific, pre-approved certificate
C) It allows certificates to be renewed automatically
D) It eliminates the need for encryption in communication
✅ Answer: B) It ensures a website only uses a specific, pre-approved certificate
🔹 Explanation: Certificate Pinning mitigates Man-in-the-Middle (MITM) attacks by ensuring that only a specific certificate is used for authentication.
123. What does a “wildcard certificate” secure?
A) A single domain and all its subdomains
B) Multiple unrelated domains
C) A specific server IP address
D) Only email communication
✅ Answer: A) A single domain and all its subdomains
🔹 Explanation: Wildcard SSL certificates secure a domain and all its subdomains (e.g., *.example.com).
124. Which of the following is NOT a component of PKI?
A) Firewall
B) Certificate Authority (CA)
C) Public and Private Keys
D) Certificate Revocation List (CRL)
✅ Answer: A) Firewall
🔹 Explanation: While firewalls provide network security, they are not a component of PKI, which focuses on certificates and cryptographic key management.
125. What is the main purpose of a Time-Stamping Authority (TSA)?
A) To add a trusted timestamp to digital signatures
B) To issue digital certificates
C) To encrypt files on a server
D) To manage SSL/TLS handshakes
✅ Answer: A) To add a trusted timestamp to digital signatures
🔹 Explanation: TSAs add trusted timestamps to digital signatures, ensuring they were created at a specific time and not altered later.
126. What happens when a digital certificate is compromised?
A) It must be revoked immediately
B) It can continue to be used
C) It gets automatically renewed
D) It is stored in an encrypted format
✅ Answer: A) It must be revoked immediately
🔹 Explanation: Compromised certificates pose a security risk and must be revoked immediately to prevent unauthorized use.
127. Which type of certificate is used for securing software distribution?
A) Code Signing Certificate
B) Extended Validation (EV) Certificate
C) Wildcard Certificate
D) Email Encryption Certificate
✅ Answer: A) Code Signing Certificate
🔹 Explanation: Code Signing Certificates are used to digitally sign software, ensuring that it has not been tampered with after publication.
128. What is the function of a Registration Authority (RA) in PKI?
A) To verify users before issuing a certificate
B) To generate public-private key pairs
C) To store encryption keys
D) To revoke certificates automatically
✅ Answer: A) To verify users before issuing a certificate
🔹 Explanation: The RA verifies the identity of entities requesting a certificate before the CA issues it.
129. What does “certificate transparency” help prevent?
A) Unauthorized or fraudulent issuance of certificates
B) Phishing attacks
C) Distributed Denial of Service (DDoS) attacks
D) SQL Injection attacks
✅ Answer: A) Unauthorized or fraudulent issuance of certificates
🔹 Explanation: Certificate Transparency (CT) provides public logs of all issued certificates, helping detect fraudulent CAs.
130. What does a self-signed certificate lack compared to CA-issued certificates?
A) Trust from external systems
B) Encryption capability
C) A public key
D) A digital signature
✅ Answer: A) Trust from external systems
🔹 Explanation: Self-signed certificates are not issued by a trusted CA, making them untrusted for external communication.
131. What is the main limitation of using 1024-bit RSA encryption today?
A) It is no longer considered secure against modern computing power
B) It requires excessive processing power
C) It cannot be used for TLS encryption
D) It does not support asymmetric encryption
✅ Answer: A) It is no longer considered secure against modern computing power
🔹 Explanation: 1024-bit RSA encryption is now considered weak and can be cracked using modern computing power.
132. What does the term “key pair” refer to in PKI?
A) A public and a private key used together for encryption and decryption
B) Two private keys used for authentication
C) Two identical keys for symmetric encryption
D) A key stored in two different locations
✅ Answer: A) A public and a private key used together for encryption and decryption
🔹 Explanation: PKI uses a key pair consisting of a public key (for encryption) and a private key (for decryption).
133. What is the main role of a Public Key Infrastructure (PKI)?
A) To manage digital certificates and cryptographic keys
B) To configure firewalls
C) To block phishing websites
D) To enforce network access control
✅ Answer: A) To manage digital certificates and cryptographic keys
🔹 Explanation: PKI is responsible for issuing, managing, and revoking digital certificates.
134. What is a “leaf certificate” in PKI?
A) The final certificate in a certificate chain
B) A CA root certificate
C) A wildcard certificate
D) A self-signed certificate
✅ Answer: A) The final certificate in a certificate chain
🔹 Explanation: The leaf certificate is the end-entity certificate issued to a server, user, or device.
135. Which key is used to sign a digital certificate issued by a CA?
A) The CA’s private key
B) The end-user’s public key
C) A symmetric key
D) The OCSP key
✅ Answer: A) The CA’s private key
🔹 Explanation: The CA signs certificates using its private key, which allows users to verify them using the CA’s public key.
136. What is an advantage of using Elliptic Curve Cryptography (ECC) over RSA?
A) It provides the same security with a smaller key size
B) It eliminates the need for digital certificates
C) It does not require key management
D) It replaces all symmetric encryption algorithms
✅ Answer: A) It provides the same security with a smaller key size
🔹 Explanation: ECC is more efficient than RSA, offering strong encryption with smaller key sizes, which improves performance and security.
137. What is the primary function of a Root CA certificate?
A) To establish the highest level of trust in PKI
B) To encrypt emails
C) To generate private keys for users
D) To validate firewall rules
✅ Answer: A) To establish the highest level of trust in PKI
🔹 Explanation: A Root CA is the top-level authority in a PKI trust hierarchy, used to issue certificates to Intermediate CAs.
138. What does a Key Distribution Center (KDC) do in a PKI environment?
A) Manages the distribution of encryption keys for secure communication
B) Issues TLS/SSL certificates for web servers
C) Stores revoked certificates
D) Encrypts all traffic in a PKI environment
✅ Answer: A) Manages the distribution of encryption keys for secure communication
🔹 Explanation: A KDC is responsible for securely distributing encryption keys in authentication protocols like Kerberos.
139. What is an advantage of using a Certificate Authority (CA) Hierarchy?
A) It provides multiple levels of trust and minimizes risks
B) It eliminates the need for digital certificates
C) It speeds up encryption algorithms
D) It removes the need for certificate validation
✅ Answer: A) It provides multiple levels of trust and minimizes risks
🔹 Explanation: A CA hierarchy includes Root CAs, Intermediate CAs, and end-entity certificates, helping to distribute trust and reduce security risks.
140. What does the term “certificate renewal” mean in PKI?
A) Issuing a new certificate with updated expiration details before the current one expires
B) Extending the certificate’s validity without issuing a new one
C) Creating a backup of an expired certificate
D) Encrypting the private key of a certificate
✅ Answer: A) Issuing a new certificate with updated expiration details before the current one expires
🔹 Explanation: Certificate renewal ensures continuous security by replacing an expiring certificate with a new valid one.
141. What is an air-gapped Certificate Authority (CA)?
A) A CA that is physically isolated from a network for security purposes
B) A CA that issues certificates only for air travel companies
C) A CA that uses wireless communication to distribute certificates
D) A CA that automatically updates its certificates
✅ Answer: A) A CA that is physically isolated from a network for security purposes
🔹 Explanation: An air-gapped CA is kept offline to prevent cyberattacks, often used for Root CAs.
142. What is a PKI Trust Model?
A) The framework that defines how entities trust certificates issued by CAs
B) A method for encrypting certificates
C) A database storing all issued certificates
D) A process for automating certificate revocation
✅ Answer: A) The framework that defines how entities trust certificates issued by CAs
🔹 Explanation: A PKI trust model outlines the structure and rules governing how CAs and certificates are trusted.
143. What does a certificate revocation mechanism prevent?
A) The use of compromised or expired certificates
B) The issuance of new certificates
C) The need for asymmetric encryption
D) The use of digital signatures
✅ Answer: A) The use of compromised or expired certificates
🔹 Explanation: Revocation mechanisms like CRLs and OCSP ensure that compromised or expired certificates are no longer trusted.
144. Which hashing algorithm is considered insecure for use in digital certificates?
A) SHA-1
B) SHA-256
C) SHA-3
D) AES
✅ Answer: A) SHA-1
🔹 Explanation: SHA-1 is deprecated due to its vulnerability to collision attacks, and is replaced by SHA-256 or stronger hashing algorithms.
145. Why should a private key never be shared?
A) It allows unauthorized decryption and digital signature forging
B) It helps encrypt certificates for storage
C) It enables faster SSL handshakes
D) It improves certificate lifespan
✅ Answer: A) It allows unauthorized decryption and digital signature forging
🔹 Explanation: A private key must remain confidential, as sharing it can compromise encryption and authentication security.
146. What role does the “Certificate Policy (CP)” play in PKI?
A) It defines the rules and standards for issuing and managing certificates
B) It encrypts the private keys of digital certificates
C) It determines the key length of certificates
D) It stores revoked certificates
✅ Answer: A) It defines the rules and standards for issuing and managing certificates
🔹 Explanation: A Certificate Policy (CP) provides guidelines and best practices for issuing, managing, and revoking digital certificates.
147. What is the benefit of OCSP Stapling in TLS connections?
A) It reduces the load on OCSP servers by having the server provide the OCSP response
B) It eliminates the need for digital certificates
C) It automatically renews expired certificates
D) It enables stronger encryption
✅ Answer: A) It reduces the load on OCSP servers by having the server provide the OCSP response
🔹 Explanation: OCSP stapling improves performance and privacy by allowing servers to cache and provide OCSP responses, reducing reliance on OCSP servers.
148. What is a Cross-Signed Certificate used for?
A) Transitioning from one CA to another while maintaining compatibility
B) Encrypting digital signatures
C) Automating the certificate renewal process
D) Revoking expired certificates
✅ Answer: A) Transitioning from one CA to another while maintaining compatibility
🔹 Explanation: Cross-signed certificates are used during migrations between CAs, ensuring backward compatibility.
149. What is an Intermediate CA’s primary responsibility in a multi-tier PKI system?
A) Issuing certificates to end-entities while delegating trust from the Root CA
B) Storing revoked certificates
C) Encrypting network traffic
D) Replacing the Root CA
✅ Answer: A) Issuing certificates to end-entities while delegating trust from the Root CA
🔹 Explanation: Intermediate CAs provide an additional security layer, handling certificate issuance while protecting the Root CA.
150. What is a Hardware Security Module (HSM) primarily used for in PKI?
A) Securely storing and managing cryptographic keys
B) Encrypting SSL/TLS certificates
C) Automating certificate revocation
D) Performing network intrusion detection
✅ Answer: A) Securely storing and managing cryptographic keys
🔹 Explanation: An HSM is a high-security hardware device used for storing, generating, and managing cryptographic keys.
151. What is the role of an Online Certificate Status Protocol (OCSP) responder?
A) To provide real-time certificate revocation status
B) To generate new SSL certificates for websites
C) To store all issued certificates permanently
D) To renew expired certificates automatically
✅ Answer: A) To provide real-time certificate revocation status
🔹 Explanation: OCSP responders verify whether a certificate is still valid or revoked in real-time without requiring users to download a full Certificate Revocation List (CRL).
152. What is the difference between OCSP and CRL?
A) OCSP provides real-time revocation status, while CRL is a static list of revoked certificates
B) CRL is used for SSL certificates, while OCSP is used for email encryption
C) OCSP is only used for root certificates, while CRL is used for all certificates
D) CRL is faster than OCSP for certificate validation
✅ Answer: A) OCSP provides real-time revocation status, while CRL is a static list of revoked certificates
🔹 Explanation: OCSP enables real-time verification of certificate validity, whereas CRLs require periodic downloads to check revocation status.
153. What does the term “certificate lifecycle management” refer to in PKI?
A) The process of issuing, renewing, revoking, and expiring certificates
B) The encryption of certificates before use
C) The backup of private keys for all users
D) The automatic distribution of certificates
✅ Answer: A) The process of issuing, renewing, revoking, and expiring certificates
🔹 Explanation: Certificate lifecycle management ensures that digital certificates are properly managed from issuance to expiration or revocation.
154. What happens if a certificate’s private key is compromised?
A) The certificate must be revoked immediately
B) The CA will automatically renew the certificate
C) The certificate remains valid until it expires
D) The certificate can be used by anyone for encryption
✅ Answer: A) The certificate must be revoked immediately
🔹 Explanation: A compromised private key poses a major security risk and must lead to certificate revocation.
155. What is the main function of a cryptographic hash in a digital certificate?
A) To verify the integrity of the certificate’s contents
B) To store the private key within the certificate
C) To generate a new encryption key
D) To provide a random identifier for the certificate
✅ Answer: A) To verify the integrity of the certificate’s contents
🔹 Explanation: Cryptographic hashes (e.g., SHA-256) ensure that a certificate’s contents have not been altered.
156. What does a digital certificate bind together?
A) A public key with the identity of the certificate owner
B) A private key with encryption algorithms
C) A secret password with a domain name
D) A symmetric encryption key with an IP address
✅ Answer: A) A public key with the identity of the certificate owner
🔹 Explanation: A digital certificate is issued to bind a public key with the identity of the certificate owner.
157. What is the purpose of a Root CA certificate store in an operating system or browser?
A) To maintain a list of trusted Certificate Authorities
B) To generate encryption keys for users
C) To store encrypted website passwords
D) To prevent all SSL/TLS traffic
✅ Answer: A) To maintain a list of trusted Certificate Authorities
🔹 Explanation: The Root CA certificate store contains pre-trusted Certificate Authorities (CAs) used to validate SSL/TLS connections.
158. What is an Extended Key Usage (EKU) extension in a digital certificate?
A) A field that specifies the purpose of the certificate (e.g., code signing, server authentication)
B) A key used for encrypting certificate contents
C) A backup key for lost certificates
D) A feature that automatically renews certificates
✅ Answer: A) A field that specifies the purpose of the certificate (e.g., code signing, server authentication)
🔹 Explanation: The Extended Key Usage (EKU) extension defines specific purposes for a digital certificate, such as TLS authentication or code signing.
159. What is an advantage of using an Intermediate CA rather than issuing all certificates from a Root CA?
A) It reduces security risks if a subordinate CA is compromised
B) It eliminates the need for digital signatures
C) It speeds up SSL/TLS encryption
D) It ensures certificates never expire
✅ Answer: A) It reduces security risks if a subordinate CA is compromised
🔹 Explanation: Intermediate CAs add an extra layer of security, reducing risk by delegating certificate issuance away from the Root CA.
160. What happens when a web browser encounters a certificate signed by an untrusted CA?
A) It displays a security warning and blocks the connection
B) It automatically trusts the certificate
C) It removes all other trusted certificates
D) It encrypts the website traffic using a default key
✅ Answer: A) It displays a security warning and blocks the connection
🔹 Explanation: If a browser does not trust a CA, it blocks access to the website and displays a security warning.
161. What is a major risk associated with using self-signed certificates?
A) They are not trusted by external systems
B) They cannot be used for encryption
C) They cannot be revoked
D) They provide weaker encryption
✅ Answer: A) They are not trusted by external systems
🔹 Explanation: Self-signed certificates are not issued by a trusted CA, making them unusable for public-facing websites.
162. What is the function of a Certificate Policy (CP) document?
A) It defines the rules for issuing and managing certificates
B) It encrypts certificates for security
C) It automatically revokes expired certificates
D) It generates public-private key pairs
✅ Answer: A) It defines the rules for issuing and managing certificates
🔹 Explanation: A Certificate Policy (CP) sets the guidelines and best practices for certificate issuance and management.
163. Which component of PKI ensures that a revoked certificate is no longer trusted?
A) OCSP or CRL
B) TLS protocol
C) Firewall rules
D) DNSSEC
✅ Answer: A) OCSP or CRL
🔹 Explanation: The Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) ensure that revoked certificates are no longer trusted.
164. What type of attack can be prevented using Perfect Forward Secrecy (PFS)?
A) Replay attacks
B) Man-in-the-Middle (MITM) attacks on past encrypted data
C) Cross-Site Scripting (XSS)
D) SQL Injection
✅ Answer: B) Man-in-the-Middle (MITM) attacks on past encrypted data
🔹 Explanation: Perfect Forward Secrecy (PFS) ensures that previously encrypted communications remain secure, even if a key is later compromised.
165. Why should expired certificates be removed from trusted stores?
A) To prevent potential security risks and misuse
B) To improve system performance
C) To allow automatic certificate renewal
D) To reduce disk space usage
✅ Answer: A) To prevent potential security risks and misuse
🔹 Explanation: Expired certificates can pose security risks if trusted by mistake, so they should be removed from stores.
166. What is the purpose of a certificate fingerprint?
A) To provide a unique hash of the certificate for verification
B) To store the private key securely
C) To encrypt website traffic
D) To replace the CA’s digital signature
✅ Answer: A) To provide a unique hash of the certificate for verification
🔹 Explanation: A certificate fingerprint is a unique cryptographic hash used to verify a certificate’s authenticity.
167. What does the term “Key Pair” refer to in PKI?
A) A private key and a public key used together for encryption and decryption
B) Two private keys used for encrypting SSL traffic
C) Two identical keys used for symmetric encryption
D) A backup key stored in a hardware security module
✅ Answer: A) A private key and a public key used together for encryption and decryption
🔹 Explanation: PKI uses an asymmetric cryptographic system, where a key pair consists of a public key (for encryption) and a private key (for decryption).
168. What is the function of a digital signature in PKI?
A) To verify the integrity and authenticity of a message or certificate
B) To encrypt SSL/TLS communication
C) To replace passwords in authentication systems
D) To store encryption keys in a secure vault
✅ Answer: A) To verify the integrity and authenticity of a message or certificate
🔹 Explanation: A digital signature ensures that a message originates from a verified sender and has not been tampered with.
169. What role does a Key Escrow service play in PKI?
A) Securely storing private encryption keys for recovery purposes
B) Issuing SSL/TLS certificates for web servers
C) Preventing unauthorized access to firewalls
D) Managing TLS handshakes
✅ Answer: A) Securely storing private encryption keys for recovery purposes
🔹 Explanation: Key Escrow is a trusted third-party service that securely stores private keys for backup and recovery.
170. What does a wildcard certificate secure?
A) A domain and all its subdomains
B) Multiple unrelated domains
C) A specific IP address
D) Only an email server
✅ Answer: A) A domain and all its subdomains
🔹 Explanation: Wildcard SSL certificates allow securing a domain and all its subdomains (e.g., *.example.com).
171. What is an Air-Gapped CA, and why is it used?
A) A CA that is physically isolated from a network for security purposes
B) A CA used for wireless certificate distribution
C) A CA that encrypts data in motion
D) A CA that only issues email certificates
✅ Answer: A) A CA that is physically isolated from a network for security purposes
🔹 Explanation: Air-gapped CAs are offline CAs used to reduce the risk of compromise, often for Root CA protection.
172. What is the primary function of the Subject Alternative Name (SAN) field in a certificate?
A) It allows multiple domain names to be covered under one certificate
B) It defines the encryption algorithm used
C) It determines the certificate’s expiration date
D) It encrypts certificate contents
✅ Answer: A) It allows multiple domain names to be covered under one certificate
🔹 Explanation: The SAN field in a certificate enables securing multiple domain names under a single SSL/TLS certificate.
173. Why is the SHA-1 hashing algorithm considered insecure for digital certificates?
A) It is vulnerable to collision attacks
B) It requires excessive processing power
C) It cannot be used for digital signatures
D) It does not support encryption
✅ Answer: A) It is vulnerable to collision attacks
🔹 Explanation: SHA-1 is deprecated due to collision vulnerabilities, where two different inputs can produce the same hash value, making it insecure.
174. What is the purpose of a Certificate Chain in PKI?
A) It links an end-entity certificate to a trusted root CA through intermediate CAs
B) It encrypts certificate contents for secure storage
C) It allows certificates to be used indefinitely
D) It replaces the need for digital signatures
✅ Answer: A) It links an end-entity certificate to a trusted root CA through intermediate CAs
🔹 Explanation: A certificate chain ensures that an end-entity certificate can be traced back to a trusted Root CA.
175. Which of the following certificates offers the highest level of validation?
A) Extended Validation (EV) Certificate
B) Domain Validation (DV) Certificate
C) Wildcard Certificate
D) Self-Signed Certificate
✅ Answer: A) Extended Validation (EV) Certificate
🔹 Explanation: EV certificates require extensive validation of the business identity, making them more trusted than DV or OV certificates.
176. Why is Perfect Forward Secrecy (PFS) important in TLS encryption?
A) It ensures that past encrypted communications remain secure even if a private key is compromised
B) It speeds up SSL/TLS handshakes
C) It eliminates the need for certificate validation
D) It prevents DDoS attacks
✅ Answer: A) It ensures that past encrypted communications remain secure even if a private key is compromised
🔹 Explanation: PFS prevents attackers from decrypting past communications even if they later obtain the private key.
177. What is the primary benefit of OCSP Stapling over traditional OCSP?
A) It improves performance by allowing the server to cache and send the OCSP response
B) It removes the need for digital signatures
C) It allows self-signed certificates to be trusted automatically
D) It prevents all SSL/TLS attacks
✅ Answer: A) It improves performance by allowing the server to cache and send the OCSP response
🔹 Explanation: OCSP Stapling improves performance and privacy by reducing direct queries to OCSP responders.
178. What does the Authority Key Identifier (AKI) field in a certificate do?
A) It links a certificate to the public key of the issuing CA
B) It stores the encryption algorithm used
C) It defines the expiration date of the certificate
D) It encrypts the certificate’s contents
✅ Answer: A) It links a certificate to the public key of the issuing CA
🔹 Explanation: The AKI field helps identify the CA that issued the certificate, linking it to the public key of the issuing CA.
179. What does a Certificate Policy (CP) define?
A) The rules and standards for issuing and managing digital certificates
B) The public key of a digital certificate
C) The encryption algorithm used in certificates
D) The expiration date of a certificate
✅ Answer: A) The rules and standards for issuing and managing digital certificates
🔹 Explanation: A Certificate Policy (CP) provides guidelines for certificate issuance, management, and revocation.
180. What is the main advantage of using Elliptic Curve Cryptography (ECC) over RSA?
A) It provides the same security with smaller key sizes, making encryption more efficient
B) It eliminates the need for private keys
C) It allows digital certificates to be issued without a CA
D) It only works with self-signed certificates
✅ Answer: A) It provides the same security with smaller key sizes, making encryption more efficient
🔹 Explanation: ECC offers strong encryption with smaller key sizes, making it more efficient than RSA.
181. What is the primary function of an Intermediate CA in a PKI hierarchy?
A) To issue certificates on behalf of the Root CA
B) To store encryption keys for all users
C) To manage digital signatures for emails
D) To encrypt website traffic
✅ Answer: A) To issue certificates on behalf of the Root CA
🔹 Explanation: An Intermediate CA helps distribute trust, reducing the risk of compromising the Root CA.
182. What is the main reason for using a Hardware Security Module (HSM) in PKI?
A) To securely generate, store, and manage cryptographic keys
B) To replace digital certificates
C) To improve web server performance
D) To encrypt SSL/TLS traffic
✅ Answer: A) To securely generate, store, and manage cryptographic keys
🔹 Explanation: An HSM provides high-security protection for cryptographic key management, ensuring they remain secure from theft or compromise.
183. What happens if a private key associated with a certificate is lost?
A) The certificate must be revoked and reissued
B) The certificate remains valid until it expires
C) The CA will generate a new private key automatically
D) The certificate can still be used for authentication
✅ Answer: A) The certificate must be revoked and reissued
🔹 Explanation: Losing a private key means data encrypted with the corresponding public key cannot be decrypted, requiring a new certificate.
184. Which component in PKI ensures non-repudiation?
A) Digital Signatures
B) Firewalls
C) VPNs
D) Symmetric Encryption
✅ Answer: A) Digital Signatures
🔹 Explanation: Digital signatures provide non-repudiation, ensuring that a sender cannot deny having sent a message.
185. What is the purpose of the Common Name (CN) in an X.509 certificate?
A) It specifies the entity (domain or user) the certificate is issued for
B) It stores the certificate’s private key
C) It defines the encryption algorithm used
D) It determines the certificate’s expiration date
✅ Answer: A) It specifies the entity (domain or user) the certificate is issued for
🔹 Explanation: The Common Name (CN) field identifies the entity the certificate is issued for, such as a domain name or user.
186. What is a self-signed certificate?
A) A certificate issued and signed by the same entity
B) A certificate issued by a trusted CA
C) A certificate used only for email encryption
D) A certificate valid for 10 years
✅ Answer: A) A certificate issued and signed by the same entity
🔹 Explanation: A self-signed certificate is not issued by a trusted CA, making it unsuitable for public trust.
187. Why are wildcard certificates considered risky for security?
A) If compromised, they allow access to all subdomains
B) They cannot be used for HTTPS encryption
C) They require renewal every 30 days
D) They prevent certificate revocation
✅ Answer: A) If compromised, they allow access to all subdomains
🔹 Explanation: A compromised wildcard certificate could allow an attacker to spoof multiple subdomains, increasing the security risk.
188. What does the Key Usage field in an X.509 certificate specify?
A) The allowed cryptographic operations (e.g., key encipherment, digital signature)
B) The certificate’s expiration date
C) The issuing CA’s name
D) The encryption algorithm used
✅ Answer: A) The allowed cryptographic operations (e.g., key encipherment, digital signature)
🔹 Explanation: The Key Usage field defines whether a certificate is allowed for signing, encryption, or other cryptographic operations.
189. What is the primary purpose of a Certificate Revocation List (CRL)?
A) To list certificates that have been revoked before their expiration date
B) To store encryption keys for revoked certificates
C) To distribute new public keys to users
D) To extend the expiration date of revoked certificates
✅ Answer: A) To list certificates that have been revoked before their expiration date
🔹 Explanation: A CRL contains revoked certificates that are no longer trusted before their scheduled expiration.
190. Why are expired certificates considered a security risk?
A) Attackers may still be able to use them for impersonation
B) They allow attackers to decrypt previous SSL/TLS traffic
C) They automatically renew themselves
D) They disable SSL/TLS encryption
✅ Answer: A) Attackers may still be able to use them for impersonation
🔹 Explanation: Expired certificates can sometimes be exploited if systems incorrectly trust them.
191. What is the benefit of using a Time-Stamping Authority (TSA) in digital signatures?
A) It provides proof of the exact time a document was signed
B) It encrypts private keys for additional security
C) It generates self-signed certificates
D) It replaces the need for digital certificates
✅ Answer: A) It provides proof of the exact time a document was signed
🔹 Explanation: A TSA ensures that a digital signature was created at a specific time, helping verify authenticity.
192. What is a primary use case for a Code Signing Certificate?
A) To verify the authenticity and integrity of software
B) To encrypt email messages
C) To secure HTTPS websites
D) To store private keys in a secure vault
✅ Answer: A) To verify the authenticity and integrity of software
🔹 Explanation: Code Signing Certificates ensure that software has not been tampered with after being signed by a developer.
193. What type of PKI certificate allows securing multiple domains under one certificate?
A) SAN (Subject Alternative Name) Certificate
B) Wildcard Certificate
C) Root CA Certificate
D) Self-Signed Certificate
✅ Answer: A) SAN (Subject Alternative Name) Certificate
🔹 Explanation: SAN Certificates allow securing multiple distinct domains within a single certificate.
194. What is the main benefit of Perfect Forward Secrecy (PFS) in SSL/TLS?
A) It ensures past encrypted communications remain secure even if a private key is compromised
B) It increases website loading speed
C) It allows certificates to be renewed automatically
D) It prevents SQL injection attacks
✅ Answer: A) It ensures past encrypted communications remain secure even if a private key is compromised
🔹 Explanation: PFS ensures session keys are never reused, preventing decryption of past communications if a private key is compromised.
195. What does a Certificate Authority Authorization (CAA) record do in DNS?
A) It specifies which CAs are allowed to issue certificates for a domain
B) It prevents DNS spoofing attacks
C) It stores revoked certificates
D) It replaces SSL/TLS encryption
✅ Answer: A) It specifies which CAs are allowed to issue certificates for a domain
🔹 Explanation: CAA records restrict which Certificate Authorities (CAs) can issue certificates for a domain, reducing fraud.
196. What is a Delta CRL?
A) A CRL that only includes recently revoked certificates since the last full CRL
B) A backup list of all issued certificates
C) A list of expired certificates
D) A CRL with no expiration
✅ Answer: A) A CRL that only includes recently revoked certificates since the last full CRL
🔹 Explanation: Delta CRLs contain only newly revoked certificates, reducing the size of updates.
197. What is the purpose of the “Certificate Transparency” initiative by Google?
A) To detect and prevent fraudulent certificate issuance
B) To encrypt SSL/TLS traffic more efficiently
C) To automatically renew digital certificates
D) To store all certificates in a private repository
✅ Answer: A) To detect and prevent fraudulent certificate issuance
🔹 Explanation: Certificate Transparency (CT) is a public logging system that helps detect misissued or fraudulent certificates by allowing users to audit CAs.
198. What is the main security risk of using outdated or weak cryptographic algorithms in PKI?
A) Increased vulnerability to brute-force and cryptanalysis attacks
B) Slower SSL/TLS handshake times
C) Difficulty in managing certificate expiration dates
D) Higher cost of certificate issuance
✅ Answer: A) Increased vulnerability to brute-force and cryptanalysis attacks
🔹 Explanation: Weak cryptographic algorithms, such as MD5 or SHA-1, can be cracked through brute force or collision attacks, making them insecure.
199. What does the “Basic Constraints” field in an X.509 certificate indicate?
A) Whether the certificate is a CA certificate or an end-entity certificate
B) The certificate’s expiration date
C) The public key size used in encryption
D) The encryption algorithm
✅ Answer: A) Whether the certificate is a CA certificate or an end-entity certificate
🔹 Explanation: The Basic Constraints field specifies if the certificate is an end-user certificate or a CA, determining its ability to sign other certificates.
200. Why are Extended Validation (EV) certificates considered more secure than Domain Validation (DV) certificates?
A) They require more rigorous identity verification before issuance
B) They use stronger encryption algorithms
C) They support wildcard subdomains by default
D) They never expire
✅ Answer: A) They require more rigorous identity verification before issuance
🔹 Explanation: EV certificates require extensive validation of the business and domain ownership, making them more trustworthy than DV certificates.
201. What is a Cross-Certification Agreement in PKI?
A) A trust relationship between two different Certificate Authorities (CAs)
B) A process for automatically renewing expired certificates
C) A method for encrypting digital signatures
D) A protocol for issuing self-signed certificates
✅ Answer: A) A trust relationship between two different Certificate Authorities (CAs)
🔹 Explanation: Cross-certification agreements allow different CAs to recognize each other’s certificates, creating a broader trust network.
202. What does the term “Trust Anchor” refer to in PKI?
A) The Root CA that serves as the starting point of a certificate chain
B) A backup server for certificate storage
C) A special type of digital signature
D) A secure password manager for cryptographic keys
✅ Answer: A) The Root CA that serves as the starting point of a certificate chain
🔹 Explanation: A Trust Anchor is usually the Root CA, which is inherently trusted and validates all certificates issued within its hierarchy.
203. How does a Private Key protect digital certificates?
A) It is used to decrypt messages encrypted with the public key
B) It is shared publicly for authentication
C) It automatically updates the certificate chain
D) It replaces the need for digital signatures
✅ Answer: A) It is used to decrypt messages encrypted with the public key
🔹 Explanation: In asymmetric encryption, the private key is used to decrypt messages encrypted with the corresponding public key.
204. Why is it important to periodically rotate cryptographic keys in PKI?
A) To reduce the impact of a compromised key and enhance security
B) To improve website loading speed
C) To comply with DNSSEC requirements
D) To avoid digital signatures altogether
✅ Answer: A) To reduce the impact of a compromised key and enhance security
🔹 Explanation: Key rotation ensures that even if a key is compromised, its impact is minimized, improving overall security.
205. What is the function of an Issuer Distinguished Name (Issuer DN) in a certificate?
A) Identifies the Certificate Authority (CA) that issued the certificate
B) Encrypts the certificate’s public key
C) Stores the certificate revocation list (CRL)
D) Determines the validity period of a certificate
✅ Answer: A) Identifies the Certificate Authority (CA) that issued the certificate
🔹 Explanation: The Issuer DN field specifies the CA that issued the certificate, helping establish the chain of trust.