SSCP Question #582: Real Exam Question with Answer & Explanation

The correct answer is B: It requires the authentic distribution of the new root CA certificate to all PKI participants. The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users). In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could

Submitted by satoshi_tk· Apr 18, 2026Security Operations and Administration

Question

What is the main problem of the renewal of a root CA certificate?

Options

AIt requires key recovery of all end user keys
BIt requires the authentic distribution of the new root CA certificate to all PKI participants
CIt requires the collection of the old root CA certificates from all the users
DIt requires issuance of the new root CA certificate

Explanation

The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users). In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could be very costly. Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX-reference), but these solutions works only well for scenarios with currently valid root CA certificates (and not for emergency cases e.g. compromise of the current root CA certificate). The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored during PKI deployment.

Topics

#PKI#Certificate Authority#Certificate Management#Trust Distribution

Community Discussion

No community discussion yet for this question.

Full SSCP Practice Browse All SSCP Questions