SY0-501 Question #445: Real Exam Question with Answer & Explanation

Question

A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use?

Options

• AWildcard certificate
• BExtended validation certificate
• CCertificate chaining
• DCertificate utilizing the SAN file

Explanation

When the same certificate must be installed on multiple servers with different hostnames and still pass hostname verification, a Subject Alternative Name (SAN) certificate is the appropriate solution.

Common mistakes.

• A. A wildcard certificate covers all subdomains of a single domain (e.g., *.example.com) but cannot cover multiple unrelated hostnames or different domain levels, limiting its flexibility for distinct server names.
• B. Extended validation (EV) certificates relate to the rigorous identity vetting process performed by the CA to display a higher-trust indicator in browsers, and do not address the requirement of matching multiple hostnames on a single certificate.
• C. Certificate chaining refers to the trust path from a leaf certificate up through intermediate CAs to a root CA, which is a PKI trust validation mechanism and has nothing to do with assigning a certificate to multiple hostnames.

Concept tested. SAN certificates for multi-host hostname validation

Reference. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate

No community discussion yet for this question.