The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1 Which of the following items are not components of a digital certificate?

a. Name b. Organization c. IP address d. Serial number e. Private key f. All of the above

2. A CA is responsible for all of the following except what?

a. Receives certificate requests b. Issues certificates c. Maintains certificates d. Revokes certificates e. Validates certificates f. All of the above

3. Which of the following is the advantage of using CA support on peer routers for an IPsec tunnel?

a. Multiple peers can be managed and configured.

b. Peers no longer need to manually exchange preshared keys or nonces.

c. Peer encryption/decryption is done more efficiently.

d. Peers can be centrally monitored.

e. Each peer can report detailed IPsec latency information.

f. Peers can utilize stronger encryption methods.

4. Cisco IOS Software supports all of the following CA standards except for_

d. X.508 certificates e. PKCS#7

f. PKCS#11

5. Which of the following CA services use X.509v3 certificates and support SCEP? (Select four.)

a. VeriSign Onsite 4.5

b. Entrust Technologies c. Baltimore Technologies d. Twarte 4.6

e. OpenSSL 3.0

f. Windows 2000 Certificate Server 5.0

6. What is not a step in the process of configuring a router for CA support?

a. Configure the router host name and domain name.

b. Set the router date, time, and time zone.

c. Declare the CA.

d. Generate the RSA key pair.

e. Request your certificate.

f. All of the above.

7. Why is it important to add the CA server to the router host table?

a. It can be contacted by IP address only.

b. It protects the security of the CA.

c. It provides more detailed logging information for the CA.

d. It is required for generating private/public key pairs.

e. It increases performance of the router.

f. None of the above.

8. What command is required to identify the trusted CA Chicago_CA for a Cisco router?

a. crypto ca trustpoint Chicago_CA

b. ca server trust Chicago_CA

c. crypto ca primary Chicago_CA

d. ca server primary Chicago_CA

e. crypto ca primary trustpoint Chicago_CA

f. None of the above

9. When a certificate is requested from a server using the cypto ca enroll command, which of the following occurs? (Select four.)

a. Router sends the key pairs to the CA server.

b. Server generates and signs the identity certificates.

c. Server validates key pair with peer.

d. CA servers send the certificates back to the router.

e. CA server sends certificate to the peer.

f. CA posts a copy of certificate in its public repository.

10. What commands can you use to validate the CA configuration? (Select at least three.)




ca certificates




key mypubkey rsa








key rsa




key pubkey-chain rsa





The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

• 8 or less overall score Read the entire chapter. This includes the "Foundation Topics" and "Foundation Summary" sections and the "Q&A" section.

• 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the "Q&A" section. Otherwise, move on to Chapter 21, "Troubleshooting the VPN Configuration on a Cisco Router."



0 0

Post a comment