Acme Corp runs a hybrid PKI: an offline root CA on-premises, two intermediate CAs (one on-prem, one in Azure), and multiple leaf certificates for web and code signing.
An audit reveals one intermediate CA uses a deprecated algorithm, a leaf cert has expired, and the CRL is 11 days old (max allowed: 7 days).
You must: (1) arrange the certificate chain in correct trust order, (2) select the correct algorithm per use case, and (3) identify which certificates must be revoked immediately.
Part 1 — Drag certificates into correct chain order (1 = Trust Anchor at top)
🗃️ Certificates — drag to order
📄
Leaf: api.acme.com
Issued by: Azure Inter CA | Expires: 2026-06-01 | SANs: api.acme.com
Issued by: On-Prem CA | EXPIRED: 2024-11-30 | RSA-1024 ⚠️
📋 Certificate Trust Chain (drag here)
1
Trust Anchor (top of chain)
↓
2
Intermediate CA
↓
3
Leaf / End-Entity
Chain for: api.acme.com TLS validation only
Part 2 — Select the correct algorithm for each use case
Use Case
Current (Audit Finding)
Correct Algorithm
TLS 1.3 key exchange for api.acme.comForward secrecy required
RSA-2048 key exchange
Password hashing in the identity databaseMust resist offline brute-force
MD5
Intermediate CA certificate signing algorithmReplace SHA-1 finding from audit
SHA-1 (deprecated)
Encrypting sensitive files at rest in Azure BlobBulk data encryption — performance matters
AES-128-CBC
🚨 Part 3 — Select all certificates that must be immediately revoked
The audit found: an expired leaf cert still in the cert store, an intermediate CA using SHA-1 and RSA-1024 on the code-signing leaf, and a CRL that is 11 days stale (past the 7-day max). Select every certificate requiring immediate revocation — do NOT select valid certs.
Code Signing CertEXPIRED 2024-11-30 | RSA-1024 | Issued by On-Prem CA
On-Prem Issuing CA CertSHA-1 algorithm | Signed by Root CA
Root CA CertificateSHA-256 | Offline | Expires 2044 | Valid