Exam SY0-701 topic 1 question 401 discussion

When a private key for a website is stolen, the certificate associated with that key is considered compromised. The next important step is to update the Certificate Revocation List (CRL) to include the old certificate so that clients and browsers know that it should no longer be trusted.

A. SCEP (Simple Certificate Enrollment Protocol)-for enrolling only C. OCSP (Online Certificate Status Protocol): check status online D. CSR (Certificate Signing Request): Request new certificate.

The correct answer is: B. CRL Explanation: When a private key is stolen, the associated certificate must be revoked to ensure it is no longer trusted. Updating the Certificate Revocation List (CRL) is necessary to inform systems that the certificate is invalid and should not be trusted. Other Options: A. SCEP (Simple Certificate Enrollment Protocol): Used for certificate enrollment but is not related to revoking or updating certificates. C. OCSP (Online Certificate Status Protocol): This protocol is used to check the revocation status of a certificate in real time, but the CRL must be updated first for OCSP to reflect the change. D. CSR (Certificate Signing Request): This is used to request a new certificate but does not handle revocation or updates related to the stolen private key.

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked. When a private key is compromised, the corresponding certificate should be revoked to prevent its further use. By updating the CRL, the system can validate the authenticity of certificates and prevent unauthorized access.

D. CSR (Certificate Signing Request). Explanation: When a private key is compromised, the entire certificate needs to be reissued. This involves the following steps: Generate a new CSR: A new Certificate Signing Request (CSR) is generated, which includes the public key associated with the new private key. Submit the CSR to the CA: The new CSR is submitted to the Certificate Authority (CA) for verification and signing. Issue a new certificate: The CA issues a new digital certificate that is bound to the new public key. Once the new certificate is issued, it needs to be installed on the web server. The other options (SCEP, CRL, and OCSP) are related to certificate management and revocation, but they are not directly affected by the compromise of the private key and the issuance of a new certificate.

Simple Certificate Enrollment Protocol *Certificate Revocation List Offensive Security Certified Professional Certificate Signing Request