CompTIA CySA+ (CS0-002) — Question 273

While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.)

Answer options

• A. On a private VLAN
• B. Full disk encrypted
• C. Powered off
• D. Backed up hourly
• E. VPN accessible only
• F. Air gapped

Correct answer: C, F

Explanation

The most secure states for the certificate authority server when not in use are 'Powered off' (C) and 'Air gapped' (F). Powering off the server eliminates any risk of unauthorized access or exploitation, while being air gapped further isolates the server from any network threats, ensuring it cannot be accessed remotely or compromised.