ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An enterprise is setting up an offline root CA to issue code-signing certificates. Compliance demands that the CA's private key be resistant to disclosure and generated with high-quality entropy. Which approach BEST meets secure key generation and composition requirements for this scenario?
Generate a 2048-bit RSA key pair on an administrator's workstation using OpenSSL, then transfer the private key to the CA over an encrypted SSH session.
Derive the private key from a strong passphrase with PBKDF2 and archive the resulting key in an encrypted ZIP file on a network share.
Accept the CA software's default 1024-bit RSA key pair created during installation and store the private key on the system drive of the CA server.
Generate a 2048-bit RSA key pair entirely within an offline FIPS 140-2 Level 3 HSM and escrow the private key by cloning it to a second HSM stored securely off-site.
Generating the CA's signing key pair inside a certified hardware security module (HSM) keeps the private key in tamper-resistant hardware, ensures use of a hardware random number generator for strong entropy, and allows secure escrow/backup to another HSM without the key ever existing in plaintext. This aligns with NIST key-management guidance and FIPS 140-2 Level 3 recommendations for protecting high-value private keys. Creating keys on a workstation and moving them, deriving them from a passphrase, or relying on default 1024-bit keys would all expose the private key to software attack surfaces or insufficient key strength, violating secure generation and storage best practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an offline root CA, and why is it used?
Open an interactive chat with Bash
What is FIPS 140-2 Level 3 certification, and why is it important in this scenario?
Open an interactive chat with Bash
What is entropy in key generation, and why is high-quality entropy essential?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .