Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Digital Certificate Quiz: Test Your SSL/TLS and PKI Basics

Quick, free PKI fundamentals quiz. Instant results.

Editorial: Review CompletedCreated By: Tnp Nit SilcharUpdated Aug 24, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art style quiz graphic showing certificate, padlock, shield, magnifying glass icons on sky blue background

This quiz helps you check your understanding of digital certificates, including SSL/TLS and PKI basics. Answer short, real-world questions on CAs, chains, CSRs, revocation, and handshakes, then get your score and study tips. For more practice, explore our cybersecurity fundamentals quiz and cryptography quiz, or prep for exams with a cybersecurity certification practice quiz.

What does SSL stand for?
Secure Shell Layer
Secure Sockets Layer
Security Socket Link
Security System Log
SSL stands for Secure Sockets Layer, a cryptographic protocol designed to provide communications security over a computer network. It was developed by Netscape and later deprecated in favor of TLS. SSL uses a combination of asymmetric and symmetric encryption to secure data in transit. .
Which port does HTTPS use by default?
443
21
80
22
HTTPS, which is HTTP over TLS/SSL, uses TCP port 443 by default to secure web traffic. Port 80 is the default for unencrypted HTTP. Ports 21 and 22 are used for FTP and SSH respectively. .
What does CA stand for in the context of digital certificates?
Certificate Authority
Certified Access
Crypto Asset
Certificate Algorithm
In PKI, CA stands for Certificate Authority, which is an entity that issues and signs digital certificates. CAs validate identities and bind public keys to entities. Trust in a CA is based on its root certificate being trusted by clients. .
Which type of certificate allows only a single domain name?
Wildcard Certificate
Multi-Domain Certificate
Extended Validation Certificate
Single-Domain Certificate
A Single-Domain Certificate secures exactly one fully qualified domain name (FQDN). Wildcard certificates secure a domain and all its subdomains. Multi-Domain (SAN) certificates cover multiple distinct domains. .
What is a public key primarily used for?
Decrypting data
Signing data
Generating randomness
Encrypting data
In asymmetric cryptography, the public key is used to encrypt data which only the corresponding private key can decrypt. The private key can also sign data to prove ownership. Public keys are distributed openly, while private keys remain secret. .
What is the main purpose of a digital certificate?
Encrypt data at rest
Manage network traffic
Authenticate the identity of entities
Generate private keys
A digital certificate binds an entity's identity to its public key, enabling authentication in secure communications. It also contains metadata like validity dates and issuer details. Certificates rely on trusted CAs to vouch for identities. .
Which organization issues publicly trusted SSL/TLS certificates?
Web Browser Vendor
Certificate Authority
Domain Registrar
Internet Service Provider
Publicly trusted SSL/TLS certificates are issued by Certificate Authorities (CAs) that are included in browser and OS trust stores. ISPs, browser vendors, and registrars do not issue these certificates themselves. Trust in a certificate is derived from the CA's root certificate being trusted. .
Which protocol succeeded SSL for securing web traffic?
TLS
IPsec
HTTPS
SSH
TLS (Transport Layer Security) is the successor to SSL and provides improved security and performance. SSL versions are now considered deprecated and insecure. TLS operates in a similar way but with stronger cryptographic algorithms. .
What is the function of a Certificate Revocation List (CRL)?
Shows active certificate policies
Provides root certificates to clients
Lists available encryption algorithms
Lists certificates that have been revoked before expiry
A CRL is published by a CA to list certificates that are no longer valid due to compromise or other reasons. Clients can download the CRL to check if a certificate has been revoked. CRLs are periodically updated and must be fetched regularly. .
What information is contained in the Subject field of an X.509 certificate?
Signature algorithm used
Identity details like common name and organization
URL of the CRL
The public key only
The Subject field specifies the entity (person, organization, or device) the certificate represents. It typically includes the common name (CN), organization (O), and country (C). Other fields like SAN can extend identification. .
What is OCSP used for in PKI?
Real-time status checking of a certificate
Generating certificates
Managing DNS records
Encrypting email
OCSP (Online Certificate Status Protocol) allows clients to query a CA or responder in real time to verify if a certificate is revoked. It provides faster and fresher revocation information than downloading CRLs. OCSP stapling can improve performance and privacy. .
What is the encoding format of a PEM certificate?
JSON object
Base64 with ASCII header and footer
XML structure
Binary DER format
PEM (Privacy Enhanced Mail) certificates are Base64-encoded DER data wrapped between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers. This format is ASCII and easy to embed in text files. DER is the binary form of the same data. .
Which hash algorithm is commonly used to sign modern SSL/TLS certificates?
SHA-256
MD5
SHA-1
CRC32
SHA-256 is widely used for signing certificates due to its strong collision resistance. SHA-1 is deprecated because of vulnerabilities. MD5 is considered insecure for digital signatures. Modern CAs have moved to SHA-256 or stronger. .
What does mutual TLS authentication require?
Only the server presents a certificate
Only the client presents a certificate
Both client and server present valid certificates
No certificates are used
Mutual TLS (mTLS) extends standard TLS by requiring the client to also present a valid certificate during handshake. This ensures both parties authenticate each other. Servers verify client certificates against a trusted CA store. .
How does a wildcard certificate work?
It secures all subdomains of a single domain using a "*" placeholder
It must be reissued for each subdomain
It covers multiple different domains
It only secures the root domain
A wildcard certificate uses an asterisk in the domain name (e.g., *.example.com) to secure any first-level subdomain. It is convenient for organizations managing multiple subdomains. It does not cover different top-level domains or deeper levels. .
What is a certificate chain?
A linked list in DNSSEC
A single certificate with multiple keys
A chain of HSM devices
A sequence of certificates from the server to a trusted root
A certificate chain starts with the end-entity (leaf) certificate and includes intermediate CA certificates up to a trusted root CA. Clients validate each link in the chain to establish trust. Proper chain installation is critical for TLS. .
What is the role of the Issuer field in an X.509 certificate?
Identifies the CA that issued the certificate
Specifies the subject's public key
Lists allowed cryptographic algorithms
Contains revocation details
The Issuer field contains the distinguished name of the Certificate Authority that signed and issued the certificate. It allows clients to verify which CA's public key to use in chain validation. It does not hold public keys itself. .
What does key rollover refer to in PKI?
Pinning a certificate to a host
Encrypting data with multiple keys
Replacing a key pair with a new one
Extending certificate validity
Key rollover is the process of retiring an old key pair and deploying a new one, often due to expiration or compromise. It ensures continuity of operations while maintaining security. Both old and new keys may overlap during transition. .
In PKI, what is a trust anchor?
A revoked certificate
A trusted root certificate
An end-entity public key
An intermediate CA certificate
A trust anchor is a root CA certificate that clients inherently trust and use as the starting point for certificate chain validation. It is self-signed and distributed out-of-band (e.g., in browser stores). All chains must link back to a trust anchor. .
What is the purpose of the Authority Information Access (AIA) extension?
Specifies key usage policies
Lists valid subject alternative names
Provides URLs to fetch issuer certificate or OCSP responder
Defines client authentication methods
The AIA extension contains information like the URI for the issuing CA's certificate and the OCSP responder address. Clients can retrieve missing intermediate certificates or check revocation status. This helps build and verify the certificate chain. .
Which signature algorithm is considered quantum-resistant?
RSA with SHA-256
XMSS (eXtended Merkle Signature Scheme)
ECDSA
DSA
XMSS is a hash-based signature scheme standardized for post-quantum security, making it resistant to attacks by quantum computers. RSA, ECDSA, and DSA are vulnerable to quantum-breaking algorithms like Shor's. XMSS and related schemes rely solely on cryptographic hash functions. .
What is the difference between the CN (Common Name) and SAN (Subject Alternative Name) fields?
CN is a single host name; SAN can list multiple names
CN is for email only; SAN is for IPs only
CN is deprecated; SAN is deprecated
CN holds the public key; SAN holds the signature
The CN field traditionally held the primary domain name, but modern practice requires listing all names in the SAN extension. SAN can include multiple DNS names, IP addresses, and URIs. Browsers ignore CN if SAN is present. .
What is a Hardware Security Module (HSM)?
A physical device for secure key storage and cryptographic operations
A certification authority
A software library for encryption
A network firewall
An HSM is a tamper-resistant hardware appliance that securely generates, stores, and uses cryptographic keys. It offloads cryptographic operations from servers and ensures keys never leave secure hardware. HSMs meet compliance standards like FIPS 140-2. .
How does certificate pinning enhance security?
By using longer key lengths
By disabling SSL entirely
By binding a host to specific certificate or public key
By rotating certificates daily
Certificate pinning restricts clients to a known certificate or public key, preventing acceptance of fraudulent or compromised CAs. Even if a rogue CA issues a valid cert, the pinned certificate will not match and the connection is blocked. It reduces risk from CA compromise. .
What is Certificate Transparency and why is it important?
A public logging system for all issued certificates to detect misissuance
A CA policy for extended validation only
A method for encrypting certificate data on disk
A protocol for revoking certificates instantly
Certificate Transparency (CT) provides an open framework where CAs publish all issued certificates to public logs. This enables domain owners and browsers to monitor and detect unauthorized certificates. CT helps prevent misissuance and improves overall trust in PKI. .
0
{"name":"What does SSL stand for?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does SSL stand for?, Which port does HTTPS use by default?, What does CA stand for in the context of digital certificates?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand SSL and TLS Fundamentals -

    Grasp the core concepts of SSL certificates and TLS protocols, including encryption methods and handshake processes.

  2. Identify Certificate Authority Roles -

    Recognize the functions and responsibilities of certificate authorities within a PKI, from issuance to revocation.

  3. Describe PKI Structure and Certificate Chains -

    Explain how public key infrastructure is organized and how certificate chains establish a chain of trust.

  4. Analyze Trust Models and Validation Processes -

    Assess various trust models and understand how certificate validation checks ensure secure connections.

  5. Apply Public/Private Key Encryption Knowledge -

    Demonstrate how asymmetric cryptography underpins digital certificates and secures data transmission.

  6. Evaluate Common Certificate Issues and Solutions -

    Identify typical problems like expiration, misconfiguration, and revocation, and learn best practices to resolve them.

Cheat Sheet

  1. SSL Handshake & Certificate Chain -

    The SSL handshake, defined in IETF RFC 5246, securely negotiates encryption parameters by exchanging X.509 certificates and session keys in milliseconds. Visualize the chain of trust like a relay race - each certificate "hands off" trust from the server cert to an intermediate CA and finally to a root CA. Use the mnemonic "Leaf-Intermediate-Root" to remember the chain order when tackling the digital certificate trivia.

  2. Public-Key Infrastructure Fundamentals -

    PKI relies on asymmetric key pairs - one public, one private - where confidentiality and authentication hinge on keeping the private key secret (NIST SP 800-57). Remember "Public for sharing, Private for caring" to distinguish their roles in encryption and digital signatures. This core concept is often tested in SSL certificate tests and PKI certification questions.

  3. Certificate Authority Roles & Trust Models -

    Certificate authorities (CAs) issue and revoke certificates, forming the backbone of trust in digital communications (per CA/Browser Forum Baseline Requirements). From single-root hierarchies to cross-signing models, each trust architecture affects how browsers validate your site's certificate. In your certificate authority quiz prep, compare hierarchical vs. web-of-trust models to boost your confidence.

  4. X.509 Certificate Structure & Extensions -

    X.509 certificates include fields like Subject, Issuer, Validity, and Public Key, plus extensions such as Key Usage and Subject Alternative Name (SAN) as defined in RFC 5280. A quick way to remember is "SIP-VES" (Subject, Issuer, Public key - Validity, Extensions, Signatures). Recognizing these fields inside certificates will help you ace SSL certificate test questions.

  5. Revocation Techniques: CRL vs. OCSP -

    When a certificate is compromised, revocation lists (CRLs) or the Online Certificate Status Protocol (OCSP) signal its invalidity, per RFC 5280 and RFC 6960. Think "CRL=Batch, OCSP=Real-time" to choose the right method for checking status in your system design. Mastering these revocation methods is key for any digital certificate quiz challenge.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Computers & IT Quizzes

Powered by: Quiz Maker