A security architect wants to ensure a remote host’s identity and decides that pinning the X.509 certificate to the device is the most effective solution. Which of the following must happen first?
A.
Use Distinguished Encoding Rules (DER) for the certificate.
B.
Extract the private key from the certificate.
C.
Use an out-of-band method to obtain the certificate.
D.
Compare the retrieved certificate with the embedded certificate.
The correct answer is C. Use an out-of-band method to obtain the certificate. Certificate pinning involves associating (or "pinning") a specific certificate or public key to a particular host or service. In this case, pinning the X.509 certificate to the device means the device will only trust a specific certificate for that remote host, ensuring the identity of the remote host can be verified.
Before pinning a certificate, you must first securely obtain the correct certificate from the remote host. This is typically done via an out-of-band method, meaning you get the certificate securely through a trusted channel (e.g., via secure email, a trusted administrator, or a physical method) to ensure you're not receiving a potentially compromised certificate from an untrusted or attacker-controlled source.
Once you have the correct certificate, you can then store (pin) it to the device and compare any future certificates presented by the remote host against the pinned certificate to ensure the identity is genuine.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CAS-004 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Bright07
2 months ago