PKI Certificate Management & Troubleshooting

PBQ 6: PKI & Certificate Troubleshooting

Scenario

PKI Infrastructure Management

You are a security administrator managing your organization's Public Key Infrastructure (PKI). Several certificate-related issues have been reported across the network: 1. Web server SSL/TLS certificates showing browser warnings 2. VPN authentication failures 3. Email encryption problems 4. Code signing verification errors Your task is to: - Review each digital certificate - Identify the security issue or misconfiguration - Select the appropriate remediation action - Understand PKI best practices and certificate lifecycle management Organization Details: - Internal CA: dc01.company.local - External web services: *.company.com - Valid certificate authorities: DigiCert, Let's Encrypt, Internal CA - Certificate validity period policy: Maximum 13 months for web certificates

Instructions: Examine each certificate carefully. Identify the problem and select the correct remediation action based on PKI best practices and security standards.

Issue 1

www.company.com

Browsers show "Not Secure" warning - Untrusted certificate authority

Certificate Status

Self-Signed

Common Name (CN)

www.company.com

Issuer

Self-Signed

Purpose

Public-facing web server

Valid From

2022-01-01

Valid To

2027-01-01

Key Usage

Digital Signature

Key Encipherment

Extended Key Usage

Server Authentication

Subject Alternative Names

www.company.com

company.com

Select Remediation Action:

Issue 2

vpn.company.com

VPN clients cannot connect - Certificate validation failure

Certificate Status

Expired

Common Name (CN)

vpn.company.com

Issuer

CN=DigiCert SHA2 Secure Server CA

Purpose

VPN gateway

Valid From

2023-01-15

Valid To

2024-01-14

Key Usage

Digital Signature

Key Encipherment

Extended Key Usage

Server Authentication

Client Authentication

Subject Alternative Names

vpn.company.com

Select Remediation Action:

Issue 3

John Smith

Email encryption fails - Certificate not trusted

Certificate Status

Revoked

Common Name (CN)

John Smith

Issuer

CN=company.local-CA

Purpose

S/MIME email encryption

Valid From

2023-06-01

Valid To

2025-06-01

Key Usage

Digital Signature

Key Encipherment

Data Encipherment

Extended Key Usage

Email Protection

Client Authentication

Select Remediation Action:

Issue 4

company-codesign

Code signing warnings appear during software installation

Certificate Status

Valid

Common Name (CN)

company-codesign

Issuer

CN=DigiCert Code Signing CA

Purpose

Software code signing

Valid From

2021-03-10

Valid To

2024-03-10

Key Usage

Digital Signature

Extended Key Usage

Code Signing

Select Remediation Action:

Issue 5

*.company.com

Certificate violates policy - exceeds maximum validity period

Certificate Status

Valid

Common Name (CN)

*.company.com

Issuer

CN=Let's Encrypt Authority X3

Purpose

Wildcard certificate for multiple subdomains

Valid From

2024-01-01

Valid To

2025-07-01

Key Usage

Digital Signature

Key Encipherment

Extended Key Usage

Server Authentication

Subject Alternative Names

*.company.com

company.com

www.company.com

Select Remediation Action: