CCSP SECUR FAQ : Scaling a VPN Using IPSec with a Certificate Authority
Q1. What is the primary advantage of creating IPSec VPNs using CA support?
A. They are easy to configure.
B. They are easy to manage.
C. They cannot be interrupted.
D. Microsoft makes a CA product.
E. None of the above.
Q2. Which is not a supported X.509 CA product?
A. VeriSign OnSite 7.5
B. Entrust Technologies
C. Windows 2000 Certificate Server 5.0
D. Baltimore Technologies
E. None of the above
Q3. What details are not required to configure a CA server?
A. CA server type
B. CA server OS
C. CA sdministrator contact info
D. CA server URL
E. CA server host name
Q4. What is the correct command for generating RSA key pairs for use with RSA-encrypted nonces?
A. config rsa keys
B. crypto key generate rsa usage keys
C. crypto key rsa generate usage keys
D. crypto key generate rsa nonces
E. None of the above
Q5. What feature does the router use to connect to the CA server?
A. It resolves the DNS on the Internet.
B. It resolves the DNS at the root server.
C. It resolves an entry in the host table on the router.
D. It connects by IP address.
E. The router performs a DNS reverse lookup.
Q6. Which is not a modulus length for generating RSA keys?
A. 2048
B. 512
C. 256
D. 360
E. 1024
Q7. What configuration mode are you in when you enter the crypto ca trustpoint command?
A. Crypto CA mode
B. Config-crypto mode
C. EXEC mode
D. Global configuration mode
E. Privileged EXEC mode
Q8. What does the command crypto ca enroll do?
A. Requests certificates from the CA for all router RSA key pairs
B. Enrolls the router in the CA public key list
C. Requests the CA validate all certificates that are currently on the router
D. Requests the CA validate only peer certificates
E. Answers C and D
Q9. Why is it extremely important to save your password when enrolling with the CA server?
A. Because the password is not saved on the router
B. Because the password is incorporated into the certificate
C. Because the CA will ask you for the password again at the end of the enrollment process
D. Because you will need to provide it to the CA administrator to revoke the certificate
E. Because you might forget it and be locked out of the CA server
Q10. What does the “M” code mean when shown in the output from show crypto key pubkey-chain command?
A. The CA server is a Microsoft server.
B. The certificate is configured manually.
C. The certificate is only good for main mode exchanges.
D. The key is only valid for manual IPSec.
E. None of the above.
Q11. What protocols are used by SCEP?
Q12. Why is it important to configure the router host name and domain name before requesting a certificate?
Q13. What is the best alternative to configuring the date, time, and time zone on your router?
Q14. What does the option usage keys do when generating RSA key pairs?
Q15. How do you configure the router to accept peer certificates if the CRL is not accessible?
Q16. How does the router authenticate the CA?
Q17. What command sends out a CA/RA request?
Q18. Why should you save the configuration after enrolling with the CA?
Q19. What does the command show crypto key pubkey-chain rsa display?
More Resources