CAS-002 · Question #158
CAS-002 Question #158: Real Exam Question with Answer & Explanation
The correct answer is D: Replace the SSL certificate on pay.xyz.com.. A wildcard certificate (*.xyz.com) shares the same private key across all subdomains using it. When the USB drive containing the certificate (and implicitly the private key) was lost, the private key must be considered compromised. Any party who finds the USB can use the private
Question
Options
- AGenerate a new public key on both servers.
- BReplace the SSL certificate on dev1.xyz.com.
- CGenerate a new private key password for both servers.
- DReplace the SSL certificate on pay.xyz.com.
Explanation
A wildcard certificate (*.xyz.com) shares the same private key across all subdomains using it. When the USB drive containing the certificate (and implicitly the private key) was lost, the private key must be considered compromised. Any party who finds the USB can use the private key to decrypt intercepted traffic or impersonate any subdomain. The immediate priority is to revoke the compromised certificate and issue a new one with a new key pair on the most sensitive system first - the payment server (pay.xyz.com), which processes financial transactions. Once the payment server is secured, dev1.xyz.com and any other affected hosts should also be updated. Option A (generate new public key alone) is incorrect - key generation requires a full key pair and new CSR. Option B (replace on dev1 first) misidentifies priority. Option C (change private key password) does nothing to protect against a lost physical key file.
Community Discussion
No community discussion yet for this question.