Exam CAS-005 topic 1 question 44 discussion

❌ Why the others are incorrect: A. Use Distinguished Encoding Rules (DER) DER is a binary format for encoding certificates, but it's not a required first step and doesn't ensure trust by itself. B. Extract the private key from the certificate This is not only unnecessary but also a serious security violation. The private key should never be extracted or shared. D. Compare the retrieved certificate with the embedded certificate This is the verification step, which happens after pinning — not before.

✅ C. Use an out-of-band method to obtain the certificate. 🔐 Explanation: Certificate pinning is a security technique used to associate a host (e.g., a server) with its expected X.509 certificate or public key. This helps prevent man-in-the-middle (MitM) attacks where an attacker could present a fraudulent certificate. Before you can "pin" a certificate (i.e., embed or store a known-good certificate or public key in the app or system): You first need to obtain the correct certificate securely, usually via an out-of-band method (i.e., not over the same channel that could be compromised). Once you have the authentic certificate, you can pin it, and then compare it at runtime against what is presented by the host.