CCSP SECUR FAQ : Scaling a VPN Using IPSec with a Certificate Authority


CCSP SECUR FAQ : Scaling a VPN Using IPSec with a Certificate Authority

Q1. What is the primary advantage of creating IPSec VPNs using CA support?
A. They are easy to configure.
B. They are easy to manage.
C. They cannot be interrupted.
D. Microsoft makes a CA product.
E. None of the above.

Answer: B

Q2. Which is not a supported X.509 CA product?
A. VeriSign OnSite 7.5
B. Entrust Technologies
C. Windows 2000 Certificate Server 5.0
D. Baltimore Technologies
E. None of the above

Answer: A

Q3. What details are not required to configure a CA server?
A. CA server type
B. CA server OS
C. CA sdministrator contact info
D. CA server URL
E. CA server host name

Answer: B

Q4. What is the correct command for generating RSA key pairs for use with RSA-encrypted nonces?
A. config rsa keys
B. crypto key generate rsa usage keys
C. crypto key rsa generate usage keys
D. crypto key generate rsa nonces
E. None of the above

Answer: B

Q5. What feature does the router use to connect to the CA server?
A. It resolves the DNS on the Internet.
B. It resolves the DNS at the root server.
C. It resolves an entry in the host table on the router.
D. It connects by IP address.
E. The router performs a DNS reverse lookup.

Answer: C

Q6. Which is not a modulus length for generating RSA keys?
A. 2048
B. 512
C. 256
D. 360
E. 1024

Answer: C

Q7. What configuration mode are you in when you enter the crypto ca trustpoint command?
A. Crypto CA mode
B. Config-crypto mode
C. EXEC mode
D. Global configuration mode
E. Privileged EXEC mode

Answer: D

Q8. What does the command crypto ca enroll do?
A. Requests certificates from the CA for all router RSA key pairs
B. Enrolls the router in the CA public key list
C. Requests the CA validate all certificates that are currently on the router
D. Requests the CA validate only peer certificates
E. Answers C and D

Answer: A

Q9. Why is it extremely important to save your password when enrolling with the CA server?
A. Because the password is not saved on the router

B. Because the password is incorporated into the certificate

C. Because the CA will ask you for the password again at the end of the enrollment process

D. Because you will need to provide it to the CA administrator to revoke the certificate

E. Because you might forget it and be locked out of the CA server

Answer: D

Q10. What does the “M” code mean when shown in the output from show crypto key pubkey-chain command?
A. The CA server is a Microsoft server.
B. The certificate is configured manually.
C. The certificate is only good for main mode exchanges.
D. The key is only valid for manual IPSec.
E. None of the above.

Answer: B

Q11. What protocols are used by SCEP?

Answer: PKCS#7 and PKCS#10

Q12. Why is it important to configure the router host name and domain name before requesting a certificate?

Answer: The host name and domain name are written into the certificate.

Q13. What is the best alternative to configuring the date, time, and time zone on your router?

Answer: Configure NTP.

Q14. What does the option usage keys do when generating RSA key pairs?

Answer: It configures the router to generate two pairs of keys; one for authentication (RSA signatures) and the other for encryption (RSA nonces).

Q15. How do you configure the router to accept peer certificates if the CRL is not accessible?

Answer: The command crl optional

Q16. How does the router authenticate the CA?

Answer: By receiving the CA self-signed certificate and the CA public key

Q17. What command sends out a CA/RA request?

Answer: crypto ca authenticate

Q18. Why should you save the configuration after enrolling with the CA?

Answer: To prevent loss of the certificates if the router reboots

Q19. What does the command show crypto key pubkey-chain rsa display?

Answer: It lists all the peer public keys on the router.

More Resources

About the author


Leave a Comment