CompTIA CASP+ (CAS-004) — Question 461

An organization wants to set up an internal PKI to support encrypting traffic between internal support web applications and user’s endpoint devices. A security policy requires that certificates must validate for each request to reduce the risk of an on-path attack. The business requires that the solution does not reduce the response of the web applications. Which of the following solutions would best satisfy both the security and business requirements?

Answer options

• A. Require each endpoint to validate using a CRL.
• B. Implement certificate pinning for all web applications.
• C. Outsource PKI management to a managed service provider.
• D. Configure the CA to support OCSP responder services.

Correct answer: D

Explanation

The correct answer is D because OCSP (Online Certificate Status Protocol) allows real-time validation of certificates without the latency associated with CRLs (Certificate Revocation Lists). Option A could slow down the response time as it requires downloading a complete revocation list, while options B and C do not directly address the requirement for validating certificates for each request.