Checking the Validity of Certificates
On this exam, there are only 2 ways to check the validity of a certificate:
- CRL (Certificate Signing Request)
- OCSP (Online Certificate Status Protocol)
CRL
- You can use OCSP in case/instead.
- You have to download it from the CA (Certificate Authority), which is recommended twice daily.
OCSP
- Real-time
- Good, revoked, or unknown
- Public CA
- Internet CA
- You can use a CRL in case/instead
If there is too much traffic to intermediate CA, then use stapling.
Answer for CRL in the question:
- OCSP
Answers for OCSP in the question:
- CRL
- Stapling
Reasons for revoking a certificate:
Employee leaves the organization
A system is decommissioned
A certificate is superseded
The private key is compromised
The certificate was issued fraudulently
Certificates that have expired do not need to be revoked.