| Q: | Management has defined the following circumstances when a certificate must be revoked. Complete the following table to provide recommendations on what revocation reason should be applied if a certificate is revoked under matching circumstances. |
| Q: | What revocation checking method would you use for the offline CAs in the CA hierarchy? |
| A: | The offline CAs must use CRL checking. The OCSP Responder cannot communicate with an offline CA for revocation checking purposes. |
| Q: | Can you configure the issuing CAs to only use OCSP, or must you provide both OCSP and CRL support for revocation checking? |
| A: | You must implement both OCSP and CRL support on the issuing CAs. The reasons are two-fold: The Windows Server 2003 Web servers only support CRL checking for the certificate-based authentication, and the Online Responder determines revocation information by inspecting CRLs. |
| Q: | What certificate template would you use for OCSP Response Signing? |
| A: | The Windows Server 2008 enterprise CAs can issue certificates based on the default OCSP Response Signing version 3 certificate template. |
| Q: | How many revocation configurations must be defined for the Fabrikam network? |
| A: | Two. One for each of the issuing CAs. |
| Q: | Assume that you have created a three-node Online Responder array to process the OCSP requests. Where would you define the revocation configuration? |
| A: | You would define the revocation configuration at the array controller. The revocation configuration is then replicated to all array members from the array controller. |
| Q: | For the purposes of disaster recovery, how would you back up the Online Responder configuration? |
| A: | The responder configuration can be backed up for disaster recovery by performing a system state backup at the array controller. |
