ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization operates an internal PKI that issues client TLS certificates to hundreds of microservices hosted on Amazon EC2 instances. Yesterday a private key was reported stolen, and security wants all services to refuse that certificate within minutes while adding as little overhead as possible to new TLS handshakes. Which PKI control best meets these requirements?
Deploy an OCSP responder and enable OCSP stapling on all servers so each TLS handshake carries a signed revocation status.
Publish an updated full certificate revocation list (CRL) and configure every server to download it every 24 hours.
Place the compromised certificate on the CA's hold list to suspend it until it expires naturally.
Reduce the certificate validity period from two years to seven days and re-issue all client certificates.
Online Certificate Status Protocol (OCSP) allows relying parties to query the issuing CA for the real-time status of a certificate. When servers are configured for OCSP stapling they obtain signed "good" or "revoked" responses from the CA at short, configurable intervals and send (staple) the latest response to clients during the TLS handshake. This eliminates the delay of large CRL downloads while giving near-immediate effect to any revocation the CA publishes.
Publishing a full CRL and telling clients to download it every 24 hours can leave a full day of exposure and still requires clients to retrieve the entire list. Short-lived certificates reduce long-term exposure but do not invalidate the stolen certificate quickly. Placing a certificate on hold (suspension) still relies on CRL distribution and does not address the performance impact. Therefore, enabling an OCSP responder with stapling is the most effective and low-overhead way to meet the stated goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OCSP stapling?
Open an interactive chat with Bash
What is the difference between CRL and OCSP?
Open an interactive chat with Bash
What are the advantages of short-lived certificates compared to revocation methods like OCSP or CRLs?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .