SY0-501 Question #343: Real Exam Question with Answer & Explanation

Question

A help desk is troubleshooting user reports that the corporate website is presenting untrusted certificate errors to employees and customers when they visit the website. Which of the following is the MOST likely cause of this error, provided the certificate has not expired?

Options

• AThe certificate was self signed, and the CA was not imported by employees or customers
• BThe root CA has revoked the certificate of the intermediate CA
• CThe valid period for the certificate has passed, and a new certificate has not been issued
• DThe key escrow server has blocked the certificate from being validated

Explanation

Untrusted certificate errors occur when a browser cannot validate a certificate's chain of trust. The most common causes include self-signed certificates, revoked intermediate CAs, or expired certificates.

Common mistakes.

• A. A self-signed certificate not imported into client trust stores is actually the most technically consistent answer with the scenario, but it is marked incorrect here - in practice, if the CA is not trusted by employees or customers, browsers will display an untrusted certificate warning because the certificate chain cannot be validated against a known root.
• B. While a revoked intermediate CA would cause certificate trust errors, this is a less common occurrence than self-signed certificate issues and would typically result in a revocation-specific error rather than a generic untrusted certificate warning.
• D. Key escrow servers are used for storing encryption keys for recovery purposes and are not involved in the certificate validation or trust chain process, so they cannot block certificate validation.

Concept tested. PKI certificate trust chain and validation errors

Reference. https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview

No community discussion yet for this question.