CompTIA Security+ Question F-56

Which of the following provides a static record of all certificates that are no longer valid?

A. Private key
B. Recovery agent
C. CRLs
D. CA

Answer: C

Explanation:
The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.

CompTIA Security+ Question E-33

A company is concerned that a compromised certificate may result in a man-in-the-middle attack against backend financial servers. In order to minimize the amount of time a compromised certificate would be accepted by other servers, the company decides to add another validation step to SSL/TLS connections. Which of the following technologies provides the FASTEST revocation capability?

A. Online Certificate Status Protocol (OCSP)
B. Public Key Cryptography (PKI)
C. Certificate Revocation Lists (CRL)
D. Intermediate Certificate Authority (CA)

Answer: A

Explanation:
CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client and network.

CompTIA Security+ Question E-27

Which of the following is true about the CRL?

A. It should be kept public
B. It signs other keys
C. It must be kept secret
D. It must be encrypted

Answer: A

Explanation:
The CRL must be public so that it can be known which keys and certificates have been revoked. In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.

CompTIA Security+ Question D-94

Which of the following should a security technician implement to identify untrusted certificates?

A. CA
B. PKI
C. CRL
D. Recovery agent

Answer: C

Explanation:
Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.

CompTIA Security+ Question C-67

A technician wants to secure communication to the corporate web portal, which is currently using HTTP. Which of the following is the FIRST step the technician should take?

A. Send the server’s public key to the CA
B. Install the CA certificate on the server
C. Import the certificate revocation list into the server
D. Generate a certificate request from the server

Answer: D

CompTIA Security+ Question B-18

A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network?

A. A CRL
B. Make the RA available
C. A verification authority
D. A redundant CA

Answer: A

Explanation:
A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.

CompTIA Security+ Question A-94

A CRL is comprised of.

A. Malicious IP addresses.
B. Trusted CA’s.
C. Untrusted private keys.
D. Public keys.

Answer: D

Explanation:
A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked. The certificates for which a CRL should be maintained are often X.509/public key certificates, as this format is commonly used by PKI schemes.

CompTIA Security+ Question A-77

When employees that use certificates leave the company they should be added to which of the following?

A. PKI
B. CA
C. CRL
D. TKIP

Answer: C

Explanation:
The certificates of the leaving employees must be made unusable. This is done by revoking them. The revoke certificates end up in the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.