Free PBQ Demo · Advanced

Topology · PKI Trust Chain

Stand up a 2-tier PKI — keep the root CA offline, issue from a sub-CA, configure OCSP + CRL, scope cert lifetimes.

Tests: Public-key infrastructure, root vs intermediate CA, revocation (OCSP / CRL), cert lifecycle — Security+ Domain 1.

~9 minNo signup needed

Scenario

Stand up a 2-tier PKI with revocation, used by internal services.

Keep the root CA offline, issue from a sub-CA, configure OCSP + CRL, scope cert lifetimes.

Network Topology — Live View

monitoring
Root CAself-signedSub-CAissuing CAOCSP Responderreal-timeCRL DistributionfallbackInternal Webwiki.corpVPN Concentratorcert auth
InfectedAlertConfiguredclick any hostto configure

Root CA

self-signed

Root Hardening

Root cert validity:
Key algorithm:

Tasks

  • Root CA — OFFLINE, 20-year cert, ECDSA P-384.
  • Sub-CA — 1-year issued certs, OCSP + CRL URLs in every cert.
  • OCSP responder enabled, 1h cache.
  • CRL published daily as fallback.
  • Auto-renew internal web + VPN certs at the 30-day mark.

0 settings configured

Liked this PBQ? There are 80+ more inside.

Sign up free to take full timed exams with mixed MCQs and all 6 PBQ types — across 10 CompTIA and Cisco certifications.