Exam 350-901 topic 1 question 266 discussion

crl and root are non existing files, so only answer A is correct syntax wise

have to be in that order

B https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

Option B, here is the source, end of discussion! https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA03l00000117PB https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

Assuming typo : The other options are not correct. Option A, cat intermediate_certificate.crt root_certificate.crt > certificate_bundle.pem, will not create a valid .pem file. The intermediate CA certificate must come before the root CA certificate in the .pem file. Option B, cat crl certificate.crt intermediate certificate.crt root certificate.crt > certificate bundle.pem, will not create a valid .pem file. The CRL certificate is not required for the application to use the .pem file. Option D, cat root certificate.crt intermediate certificate.crt > certificate bundle.pem, will not create a valid .pem file. The crl certificate is missing from the .pem file.

Answer is B, considering there is a typos and _ is missing. Order of certificates does matter. Server cert first, followed by intermediate and root. RFC: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 Application certificate needs to be there 100%.

RFC 5246 7.4.2 Server Certificate certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. The same message type and structure will be used for the client's response to a certificate request message. Note that a client MAY send no certificates if it does not have an appropriate certificate to send in response to the server's authentication request.

Just in case is was asked in the exam, here is an output from Bing AI: You can use the following command to output the certificate bundle as a .pem file: ```bash cat root_certificate.crt intermediate_certificate.crt crl_certificate.crt > certificate_bundle.pem ``` This command concatenates the three .crt files into one .pem file. ¹²³ Source: Conversation with Bing, 5/30/2023(1) ssl - How to get .pem file from .key and .crt files? - Stack .... https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files Accessed 5/30/2023. (2) Using `openssl` to display all certificates of a PEM file. https://unix.stackexchange.com/questions/696224/using-openssl-to-display-all-certificates-of-a-pem-file Accessed 5/30/2023. (3) How to create a .pem file for SSL Certificate Installations. https://www.suse.com/support/kb/doc/?id=000018152 Accessed 5/30/2023.

You don't need to include the application certificate only intermediate and root - A is correct

I asked ChatGPT and it answered B. The Bash command cat is used to concatenate multiple files and output the result to a new file. In this case, the correct order to concatenate the files is: - crl_certificate.crt - intermediate_certificate.crt - root_certificate.crt then redirecting the output to certificate_bundle.pem. This will create the certificate bundle in the correct order, with the application-specific SSL certificate first, followed by the intermediate CA certificate and the root CA certificate. This order is important as the certificate bundle must be presented in the correct order for the SSL/TLS handshakes to be successful. The client must be able to build a chain of trust from the application-specific certificate to the root CA certificate.

CA-bundle is a file that contains root and intermediate certificates in the right order. The order must be: - Intermediate CA Certificate 2 - Intermediate CA Certificate 1 - Root CA Certificate But NOT your own server cert.