Term
| Stand alone-CA's must issue or deny certificate from certificate requests via.. |
|
Definition
|
|
Term
| Enterprise-CA's issue or deny certificates from certificate requests via.. |
|
Definition
| the DACL of the certificate template being requested |
|
|
Term
| Use stand alone CA's in networks that are not or cannot... |
|
Definition
|
|
Term
| The recommended key length on a Root-CA |
|
Definition
| is 2048 Microsoft Strong Cryptographic Provider |
|
|
Term
| Default setting for the validity period of the Root-CA |
|
Definition
| 5 years( recommended validity period is twice a long as the issuing CA's |
|
|
Term
| What type of CA should a Root-CA be deployed as |
|
Definition
|
|
Term
| What is the hashing algorithm used for |
|
Definition
|
|
Term
| What is the default publishing interval between CRL's |
|
Definition
|
|
Term
| What is the default publishing interval between Delta CRL's |
|
Definition
|
|
Term
| Where can CRL's be published (Choose 4) |
|
Definition
| Active Directory, FTP Server, Web Server, File Server |
|
|
Term
| What are some scenario's in which you would want to deploy AD CS (Choose Six) |
|
Definition
| Secure wireless networks,VPN's,Smartcard logon,EFS,NAP,IPSec |
|
|
Term
| Domian Settings on a CA may be changed? True or False? |
|
Definition
| False= once a DC is made a CA the settings cannot be changes on the server |
|
|
Term
| Name the four services that can be installed with AD CS role |
|
Definition
| Certification Authority,Certification Authority Web Enrollment,Network Device Enrollment Service,Online Responder |
|
|
Term
| What type of certificate is issued to the Root-CA |
|
Definition
|
|
Term
| Name the path to the certificate database and log |
|
Definition
| C:\Windows\System32\Certlog |
|
|
Term
| What does MIIS stand for? |
|
Definition
| Microsoft Identity Integration Server |
|
|
Term
|
Definition
| Certificate Lifecycle Manager |
|
|
Term
| What are the benefits of using Version 3 templates |
|
Definition
| Supports Cryptographic API: Next Gen, Suite-B algorithms(ECC) |
|
|
Term
| What version template doesnt support autoenrollment? |
|
Definition
|
|
Term
| How can CRL's be validated(choose Three) |
|
Definition
| certificate discovery,path validation,revocation checking process |
|
|
Term
| What protocol does Online Responder use to check certificate validity |
|
Definition
| Online Certificate Status Protocol |
|
|
Term
| Name a scenario in which you would use an Online Responder |
|
Definition
| Remote Clients who connect over slower WAN links,distributing Non-Windows certificate CRL's |
|
|
Term
| What is the name of the tools new to Server 2008 that allows you to view and troubleshoot multiple CA's at once |
|
Definition
|
|
Term
| In a three-tier CA hierarcy what is the name of the second-level CA |
|
Definition
|
|
Term
|
Definition
| Certificate Practice Statement |
|
|
Term
|
Definition
| A document that outlines the practices IT uses to manage the certificates it issues |
|
|
Term
| What is a Certificate Template |
|
Definition
| a file that defines the format and content of certificates that the CA issues. |
|
|
Term
| What version templates are read-only |
|
Definition
|
|
Term
| That is the runline command for the Certificate Templates snap-in |
|
Definition
|
|
Term
| What are the minimum permissions that a user or computers have to have to enroll for a ceritifcate |
|
Definition
|
|
Term
| What are the permissions that a user or computer must have to auto-enroll for a certificate |
|
Definition
|
|
Term
| If the autoenrollment permission is not available in a certificate template what might be the reason |
|
Definition
| The template is a version 1 template(Windows 2000) |
|
|
Term
|
Definition
|
|
Term
| What is the purpose of a KRA |
|
Definition
|
|
Term
| to recover a key what must happen first |
|
Definition
| the key must have already been archived |
|
|
Term
| What can the KRA use to recover keys |
|
Definition
|
|
Term
| What protocol does NDES use |
|
Definition
| Simple Certificate Enrollment Protocol |
|
|
Term
| Autoenrollment requires what |
|
Definition
| Enterprise/Datacenter Windows Server 2008 and XP or higher, version 2 or 3 certificates |
|
|
Term
| What is the path of the GPO to support autoenrollment |
|
Definition
| Computer Configuration\Windows Settings\Security Settings\Public Key Policies>Right click Certificate Services Client-Auto-Enrollment> choose properties |
|
|
Term
| What is the purpose of an enrollment agent |
|
Definition
| Enrollment agents can enroll for other users such as preconfiguring smartcards in bulk |
|
|
Term
| Where do you configure enrollment agents |
|
Definition
| Open Certification Authority and right click the server and choose properties> then choose the Enrollment Agents Tab |
|
|
Term
| What must enrollment agents possess in order to enroll for certificates for others |
|
Definition
| Enrollment Agent Certificate |
|
|
Term
| What is a warning about the enrollment agent role |
|
Definition
| make sure that job is given to a trusted employee |
|
|
Term
| Where are certificates stored |
|
Definition
| In certificate stores in a protected portion of the registry |
|
|
Term
| What would you be using Personal Information Exchance PKCS #12 for |
|
Definition
| To backup and export a certifcate with its private key from one computer to another |
|
|
Term
| What would you use to import a certificate |
|
Definition
| Certificate Console>right click the appropriate certificate store choose Import which will start the Certificate Import Wizard |
|
|
Term
| How can you limit the users who can enroll for certifcates |
|
Definition
| Remove the Authenticated Users Group from the DACL and add a group containing the appropriate users |
|
|
Term
| What command can you use to backup the system state data on a CA |
|
Definition
|
|
Term
| Why would you backup the system state data on a CA |
|
Definition
| because the Certificate database is part of the system state data. In backing up system state date you backup the cert. database |
|
|
Term
| What can you use to restore the CA database |
|
Definition
| Certificate Authority >Right click the certificate server and choose All Tasks>Restore CA |
|
|
Term
| What can you use to restore the CA database |
|
Definition
| Certificate Authority >Right click the certificate server and choose All Tasks>Restore CA |
|
|
Term
| What editions of Server 2008 do you need to install an Online Responder |
|
Definition
|
|
Term
| The only feature of AD CS that 2008 Standard Ed. supports |
|
Definition
|
|
Term
| How can you archive a users private key |
|
Definition
| Modify the certificate template on the Request Handling tab choose "Archive subjects name" |
|
|
Term
| The CRL is______signed by a CA |
|
Definition
|
|
Term
| How can you start the OCSP service |
|
Definition
|
|
Term
| What is the name of the certificate that needs to be issued to the Online Responder to allow it to issue certificates |
|
Definition
| OCSP Response Signing Certificate Template and then issue that certificate |
|
|
Term
| What is the default internal trigger time for certificate auto-enrollment |
|
Definition
|
|
Term
| Where can you make sure that the Online Responder URL in the AIA is properly configured |
|
Definition
| the Extension Tab of the certificate |
|
|
Term
| What command can you use to back up the CA certificate |
|
Definition
|
|
Term
| What is the Registry path to the AD CS configurations |
|
Definition
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration |
|
|
Term
| Name the three methods you can manually export keys and certificates |
|
Definition
| .pfx file(Public Key Cryptography Standards #12)from MMC, PKCS #12 export from Outlook 2003/2007, .ept file Outlook 2000/2002 |
|
|
Term
| What is a reason you might need to manually export a certificate or private key |
|
Definition
| For users that have enrolled for a certificate via Non-Microsoft CA(third party) |
|
|
Term
| Who can enroll for a KRA certificate |
|
Definition
| Domain and Enterprise Administrators |
|
|
