CompTIA Security+ (SY0-701) - Certificate / PKI
Practice Questions
1. Which standard defines the format of digital certificates? A) AES B) TLS C) X.509 D) RSA
2. A user receives a certificate that cannot be validated because the issuer’s certificate is missing. What
is this called? A) Expired certificate B) Broken chain of trust C) Key escrow D) Self-signed certificate
3. What does a digital certificate primarily bind together? A) A username and password B) A public key
and an identity C) A private key and a hash D) An algorithm and a key size
4. Which certificate attribute contains the domain name for SSL/TLS validation? A) CRL B) SAN
(Subject Alternative Name) C) OCSP D) Key Usage
5. Which protocol allows real-time validation of a certificate’s status? A) OCSP B) CRL C) IPSec D)
SNMP
6. If a private key is compromised, which action must be taken? A) Renew the certificate B) Revoke the
certificate C) Suspend the certificate D) Back up the certificate
7. What is the purpose of a Certificate Revocation List (CRL)? A) List of expired certs B) List of revoked
certs C) Backup of CA keys D) Chain of intermediate certs
8. Which entity issues digital certificates? A) RADIUS server B) Certificate Authority (CA) C) DNS
server D) PKCS#7
9. In a PKI system, what is an Intermediate CA used for? A) Distributes private keys B) Offloads
issuance from the root CA C) Provides time synchronization D) Encrypts SSL traffic
10. A user tries to visit [Link] but receives a warning about the certificate name.
What likely caused this? A) Wrong key size B) SAN mismatch C) Expired CRL D) Weak algorithm
11. What is the main difference between a wildcard certificate and a SAN certificate? A) Wildcard works
for subdomains; SAN works for multiple domains B) SAN is cheaper than wildcard C) Wildcard requires
multiple private keys D) SAN certificates cannot be revoked
12. What does key escrow provide? A) Backup of encryption keys with a trusted third party B)
Temporary certificate suspension C) Faster TLS handshakes D) Validation of SAN fields
13. Which certificate type would most likely be used by a web server hosting multiple domains on the
same IP? A) Self-signed certificate B) SAN certificate C) Wildcard certificate D) Code-signing certificate
14. Why are self-signed certificates not trusted by default? A) They are not X.509 compliant B) They
lack a trusted CA signature C) They cannot be revoked D) They expire immediately
15. Which PKI component publishes and maintains certificates and CRLs? A) OCSP Responder B)
Registration Authority (RA) C) Certificate Authority (CA) D) Repository
16. Which certificate type is used to digitally sign software to prove authenticity? A) Root certificate B)
Code-signing certificate C) Wildcard certificate D) SAN certificate
�17. Which PKI trust model relies on a single root CA that all parties trust? A) Web of trust B)
Hierarchical trust model C) Bridge trust model D) Mesh trust model
18. Which protocol can replace CRLs to provide faster certificate status checks? A) TLS B) OCSP C)
SSH D) IPSec
19. Which certificate attribute defines what the certificate can be used for (e.g., digital signature, key
encipherment)? A) Extended Key Usage (EKU) B) Subject Alternative Name (SAN) C) Distinguished
Name (DN) D) Serial Number
20. A company wants a certificate that secures [Link], [Link], and
[Link]. Which type of certificate is best? A) Wildcard certificate for *.[Link] B) SAN
certificate with three entries C) Self-signed certificate D) Code-signing certificate
Answer Key
1. C) X.509
2. B) Broken chain of trust
3. B) A public key and an identity
4. B) SAN (Subject Alternative Name)
5. A) OCSP
6. B) Revoke the certificate
7. B) List of revoked certs
8. B) Certificate Authority (CA)
9. B) Offloads issuance from the root CA
10. B) SAN mismatch
11. A) Wildcard works for subdomains; SAN works for multiple domains
12. A) Backup of encryption keys with a trusted third party
13. B) SAN certificate
14. B) They lack a trusted CA signature
15. D) Repository
16. B) Code-signing certificate
17. B) Hierarchical trust model
18. B) OCSP
19. A) Extended Key Usage (EKU)
20. A) Wildcard certificate for *.[Link]