CompTIA SecurityX (CAS-005) — Question 107

A system of globally distributed certificate servers connected to HSMs provide certificate security services for a publicly available PKI. These services include OCSP, certificate revocation list issuance, and certificate signing/issuance. The HSMs are all physical devices. All other servers are virtualized. Each global site has a network load balancer, and the sites are configured to load balance between sites.

Users report occasional but persistent log-on failures to different PKI-enabled websites. There is no apparent pattern to the failures. Some OCSP responses must be signed by the HSM. Each HSM is connected to a physical server containing multiple VMs for the local site with CAT 6e network cable. The backplane connecting the VMs is fiber based.

Which of the following would best reduce the OCSP response time in order to rule out the connection between the certificate server and HSM as a cause of the user-reported issues?

Answer options

• A. Virtualize the HSMs and convert the virtualized servers to physical systems.
• B. Replace the copper-based network infrastructure with fiber.
• C. Shorten the time the duration certificates are valid to 72 hours and implement ACME.
• D. Reduce the number of global sites while increasing the number of HSMs.

Correct answer: B

Explanation

Replacing the copper network infrastructure with fiber would provide significantly higher bandwidth and lower latency, improving OCSP response times. Virtualizing HSMs or changing virtual servers to physical wouldn't address the connection speed, while adjusting certificate validity and implementing ACME may not directly resolve the response time issue related to the HSM connection.