Question 1: A server administrator generates a new key pair and submits a Certificate Signing Request to a public CA. What does the CSR contain?
Question 2: An organization's web server private key was compromised in a breach. The certificate has 6 months remaining on its validity period. What action is required to prevent attackers from using the stolen key?
Question 3: Which revocation method does a server use when it pre-fetches its own certificate status from the CA and includes the signed response in the TLS handshake?
Question 4: A company has 30 subdomains (api.company.com, www.company.com, mobile.company.com, etc.) but also needs to cover staging.api.company.com. Which certificate type handles this requirement?
Question 5: Why do CAs use intermediate CA certificates instead of having the Root CA directly sign server certificates?
Matching: Certificate Concepts
Match each term to its correct description.
TERM
DESCRIPTION
Performance Task
A large e-commerce company discovers that their TLS private key was exposed in a server breach. They have 12 web servers, each with its own certificate (all issued by the same CA). Their security team must respond within 4 hours. Design the complete incident response procedure for the certificate compromise.
Immediate actions (first 30 minutes):
1. Contain the breach β isolate the compromised server(s) from the network to prevent further key extraction.
2. Notify the incident response team and management β this is a Severity 1 incident requiring immediate escalation.
3. Document the scope: which servers, which certificates, when was the key potentially exposed, what time window of traffic may be at risk.
Certificate revocation (hours 1-2):
4. Contact the CA's revocation team or use the CA portal to revoke all potentially compromised certificates immediately. Provide the certificate serial numbers.
5. Verify revocation propagation β check OCSP responders return "Revoked" for the old certificates. Check CRL is updated.
6. Communicate to the security team that revocation is in progress β do not wait for revocation to complete before starting key regeneration.
New key pair and certificate generation (hours 2-3):
7. On each server: generate a new RSA 3072-bit or ECDSA P-256 key pair. Each server gets its own unique key pair.
8. Generate CSRs for each server with the appropriate domain names and SANs.
9. Submit CSRs to the CA β for most public CAs, DV certificate reissuance can occur within minutes to an hour.
10. Install new certificates and private keys on each server. Restart the TLS service on each server.
Post-replacement verification (hour 3-4):
11. Verify each server's new certificate: confirm the new cert is in use, check SANs are correct, confirm chain of trust is valid.
12. Confirm old certificates return "Revoked" in OCSP checks β verify revocation is in effect.
13. Check for any cached sessions or session tickets tied to old keys β consider forcing new TLS sessions by rotating session ticket keys.
Follow-up actions:
14. Rotate any secrets that may have been in server memory (API keys, database passwords, session tokens) β the breach may have exposed more than just TLS keys.
15. Determine whether traffic recorded before the breach (if captured) could be decrypted. If forward secrecy was NOT in use, assume past traffic may be compromised. Rotate all user session tokens and force re-login.
16. Review and improve: implement certificate pinning or Certificate Transparency monitoring. Improve key protection (consider HSM-backed key storage). Conduct post-incident review.