nerdexam
ExamsCAS-001Questions#531
CompTIA

CAS-001 · Question #531

CAS-001 Question #531: Real Exam Question with Answer & Explanation

The correct answer is E: The VPN concentrator's certificate private key must be installed on the VPN concentrator.. To add PKI as a second authentication factor on a VPN concentrator without certificate errors, the concentrator must host its own private key and the CA's public certificate to both authenticate itself and validate user certificates.

Question

A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN is currently configured to authenticate VPN users against a backend RADIUS server. New company policies require a second factor of authentication, and the Information Security Officer has selected PKI as the second factor. Which of the following should the security administrator configure and implement on the VPN concentrator to implement the second factor and ensure that no error messages are displayed to the user during the VPN connection? (Select TWO).

Options

  • AThe user's certificate private key must be installed on the VPN concentrator.
  • BThe CA's certificate private key must be installed on the VPN concentrator.
  • CThe user certificate private key must be signed by the CA.
  • DThe VPN concentrator's certificate private key must be signed by the CA and installed on the VPN
  • EThe VPN concentrator's certificate private key must be installed on the VPN concentrator.
  • FThe CA's certificate public key must be installed on the VPN concentrator.

Explanation

To add PKI as a second authentication factor on a VPN concentrator without certificate errors, the concentrator must host its own private key and the CA's public certificate to both authenticate itself and validate user certificates.

Common mistakes.

  • A. A user's private key must remain exclusively under that user's control and must never be copied to the VPN concentrator; distributing it would compromise the entire premise of asymmetric PKI security.
  • B. The CA's private key is the most sensitive asset in a PKI and must never leave the CA infrastructure; installing it on the VPN concentrator would represent a catastrophic security compromise.
  • C. In PKI, it is the certificate (the document containing the public key) that is digitally signed by the CA - not the private key; private keys are generated locally and are never signed by any authority.
  • D. While the VPN concentrator's certificate is correctly signed by the CA, the option incorrectly states that the private key is signed by the CA; the private key is never signed, and only the certificate containing the corresponding public key receives the CA signature.

Concept tested. PKI certificate and private key deployment on VPN concentrator

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-cert-management.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice